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Abstract 


We  propose  a  mathematical  framework  for  unifying  and  generalizing  the  principal  data  models,  i.e.,  the 
relational,  hierarchical  and  network  models.  Until  recently  most  theoretical  work  on  databases  has  focused 
on  the  relational  model,  mainly  due  to  its  elegance  and  mathematical  simplicity  compared  to  the  other 
models.  Some  of  this  work  has  pointed  out  various  disadvantages  of  the  relational  model,  among  them  its 

lack  of  semantics  and  the  fact  that  it  forces  the  data  to  have  a  flat  structure  that  the  real  data  does  not 
always  have. 

The  Logical  Data  Model  (LDM)  combines  the  advantages  of  the  relational,  network  and  hierarchical 
approaches.  It  models  database  schemas  as  directed  graphs,  in  which  the  leaves  correspond  to  the  attributes 
and  the  internal  nodes  to  connections  between  the  data.  Instances  of  LDM  schemas  consist  of  r-values,  which 
constitute  the  data  space,  and  l-values,  which  constitute  the  address  space.  We  are  thus  able  to  deal  with 
instances  of  cyclic  structures,  but  still  get  a  first-order  theory. 

We  define  a  logic  on  LDM  schemas  in  which  integrity  constraints  can  be  specified,  and  use  it  to  define 
a  logical,  i.e  non-procedural,  query  language  that  is  analogous  to  Codd’s  relational  calculus.  We  also 
describe  an  algebraic,  i.e.,  procedural,  query  language  and  prove  that  the  two  languages  are  equivalent. 
These  languages  have  a  novel  feature:  not  only  can  they  access  a  non-flat  data  structure,  e.g.  a  hierarchy 
but  the  answers  they  produce  do  not  have  to  be  flat  either.  Thus,  the  language  really  does  have  the  ability 
to  restructure  data  and  not  only  to  retrieve  it,  and  can  therefore  be  used  both  as  a  query  language  and  for 
denning  views.  1  ° 


IV 


Acknowledgments 


I  would  like  to  especially  thank  my  adviser,  Jeff  Ullman.  He  both  suggested  this  area  as  a  good  one  for 
research,  and  was  very  helpful  in  advising  me  which  directions  to  explore.  I  would  like  to  thank  Moshe  Vardi 
Dave  Maier,  Christos  Papadimitriou,  Gio  Wiederhold,  Ernst  Mayr  and  Richard  Hull  for  comments  on  my 
wor  .  Moshe  Vardi  in  particular  was  very  helpful  in  defining  the  logical  query  language.  I  would  also  like  to 

thank  my  officemates  Howard  Trickey,  Hank  Korth,  Jerry  Plotnick,  Eric  Berglund,  Joe  Pallas,  Vineet  Singh 
and  Kai  Yue.  6  ’ 

This  thesis  was  produced  using  MjjX,  a  macro  package  designed  by  Leslie  Lamport  for  Don  Knuth’s  IteX 
typesetting  system.  The  bibliography  was  prepared  with  BiblftX,  written  by  Oren  Patashnik.  Financial 
assistance  for  this  work  was  provided  by  AFOSR  grant  80-0212,  and  NSF  grant  IST-12791. 


Contents 


Abstract 

iv 

Acknowledgments 

1.  Introduction  ^ 

2.  Previous  Work  ^ 

2.1.  Database  Logic .  g 

2.2.  The  Format  Model . ’  ’  *  ’  ’  ***********  *  ’  ’ .  3 

2.3.  Non-First-Normal  Form  Relations  .  ^ 

2.4.  Non-Procedural  Query  Languages  for  the  Network  Model . .  4 

2.5.  Non-Procedural  Query  Languages  for  the  Hierarchical  Model . ’  ’  ^  5 

2.6.  Statistical  Databases .  c 

.  0 

3.  Introduction  to  the  Logical  Data  Model  0 

3.1.  Data  Structuring  in  the  Logical  Data  Model .  g 

3.1.1.  The  Relational  Model .  y 

3.1.2.  The  Network  Model .  j 

3.1.3.  The  Hierarchical  Model .  g 

3.1.4.  Instances  of  LDM  Schemas .  g 

3.1.5.  The  Entity-Relationship  Model .  10 

3.2.  Query  Languages .  ^ 

3.2.1.  The  Logical  Query  Language .  U 

3.2.2.  The  Algebraic  Query  Language .  22 

4.  LDM  Schemas  and  Instances  28 

4.1.  LDM  Schemas  .  2g 

4.2.  Instances  of  LDM  Schemas .  29 

5.  The  LDM  Logic  22 

5.1.  Definition  of  the  Logic .  22 

5.2.  The  Relation  between  LDM  logic  and  First-Order  Logic .  26 

5.2.1.  Mapping  LDM  Logic  into  First-Order  Logic .  26 

5.2.2.  Mapping  the  First-Order  Logic  into  LDM  Logic .  28 

5.2.3.  Consequences  of  the  Reduction .  32 


vi 


5.3.  A  Proof  Theory  for  LDM  Logic  .  .  .  . 

5.4.  The  Complexity  of  Integrity  Checking 


32 

34 


6.  The  Logical  Query  Language 

6.1.  Introduction . 

6.2.  The  LDM  Query  Language . 

6.3.  Safe  Queries . 

6.4.  Ordering  the  Nodes  in  a  Query . 

6.5.  Complexity  of  the  Query  Language . 

7.  The  Algebraic  Query  Language 

7.1.  The  Algebraic  Operators . 

7.1.1.  Operators  that  Copy  and  Combine  Existing  Nodes 

7.1.2.  Selection  Operators  . 

7.1.3.  Union,  Difference  and  Projection . 

7.2.  Equivalence  of  the  Logical  and  Algebraic  Query  Languages 

7.3.  Various  Results  about  the  Algebra . 

8.  Elimination  of  Cycles 

8.1.  Introduction . 

8.2.  Converting  Cyclic  Schemas  to  Acyclic  Ones . 

8.3.  Equivalence  of  the  Schemas . 

9.  Conclusions 

A.  An  Early  Attempt  at  the  Query  Language 

A.l.  Introduction . 

A.2.  Safety  up  to  Duplication . 

A.3.  Absolute  Safety . 

A. 4.  Undecidability  . 

B.  An  Alternative  Logical  Data  Model 

B. l.  The  Model  . 

B.2.  The  Query  Language . 

B.3.  Safety . . . 

Bibliography 


36 

36 

37 
42 
44 
48 

50 

50 

50 

53 

54 
56 
62 

66 

66 

67 

72 

75 

76 
76 

78 

79 

80 

85 

85 

86 
89 

92 


VII 


List  of  Figures 


1.  The  Person-Parent  relation . . .  7 

2.  The  Person-Parent  relation  as  an  LDM  schema .  7 

3.  The  genealogy  as  a  network .  o 

4.  LDM  schema  corresponding  to  Fig*  3 .  g 

5.  The  genealogy  as  a  hierarchy . . . .  g 

6.  LDM  schema  corresponding  to  Fig.  5 .  g 

7.  The  genealogy  as  a  hierarchy  with  virtual  records .  10 

8.  LDM  schema  corresponding  to  Fig.  7 .  10 

9.  Instance  of  the  LDM  schema  that  corresponds  to  a  relation  . .  11 

10.  Instance  of  the  LDM  schema  that  corresponds  to  a  hierarchy .  11 

11.  Pictorial  representation  of  the  instance  in  Fig.  10 . 12 

12.  Department-Employee  example .  13 

13.  Project- Worker  example .  14 

14.  LDM  Schema .  ^4 

15.  Instance  of  Fig.  14 .  14 

16.  Example  of  a  logical  query .  15 

17.  Another  example  of  a  logical  query .  Ig 

18.  First  step  of  the  algebraic  query  .  lg 

19.  Second  step  of  the  algebraic  query .  lg 

20.  Third  step  of  the  algebraic  query .  17 

21.  Nodes  in  LDM  schemas .  ^g 

22.  Schema  of  Qi .  27 

23.  Result  of  Qi  .  gg 

24.  Schema  of  Q2 . go 

25.  Schema  of  Q3 .  gg 

26.  Result  of  Q3  .  gg 

27.  Schema  of  Q4 . 4q 

28.  Result  of  Q4  .  4q 

29.  Query  used  in  the  proof  of  Theorem  26 .  44 

30.  Reduction  from  3SAT .  4g 

31.  The  algebraic  operation  w  D(v) .  51 

32.  The  algebraic  operation  w  <—  0(v ) .  gl 

33.  The  algebraic  operation  w  <—  0(v ly  ...,vn) .  51 

34.  The  algebraic  operation  w  <—  . . . ,  vn) .  51 

viii 


35. 


36. 

37. 


38. 


39. 

40. 

41. 

42. 

43. 

44. 

45. 


46. 

47. 

48. 

49. 


50. 

51. 

52. 

53. 

54. 

55. 


56. 

57. 

58. 


59. 


60. 

61. 

62. 


63. 

64. 

65. 


Example  of  the  algebraic  operation  u'  «—  □  («)  . 
A  smaller  instance  of  the  genealogy  schema  .  .  . 
Example  of  the  algebraic  operation  u'  <—  O (u)  . 

Result  of  u'  <—  O(u) . 

Example  of  the  algebraic  operation  v'  <—  0(u,  v) 

Result  of  the  operation  v'  <—  0(u,  v) . 

The  algebraic  operation  w  *—  &{  $  y( v)  . 

The  algebraic  operation  w  <—  <r\n(u, «) . 

Example  of  selection . 

Result  of  the  operation  u'  <-  ^1=r  “Rehoboam”  (u)  • 
Example  of  the  algebraic  operation  u'  <—  cr\n(w,  v) 
Result  of  the  algebraic  operation  u'  <—  crin{w,  v )  . 

The  algebraic  operation  w  *—  U(«i,  ^2) . 

The  algebraic  operation  w  *—  II^  _„,}(«)  .  .  .  . 

Constructing  an  equivalent  algebraic  query  .  .  . 

Result  of  Qd  om . 

Schema  of  Qprod . 

Result  of  Q^j . 

Result  of  Q*  . 

Result  of  Qfinal . 

Proof  that  restriction  is  essential . 

Cyclic  schema . 

An  acyclic  schema  equivalent  to  it . 

A  cyclic  schema . 

Corresponding  acyclic  schema . 

Cycles  through  v . 

After  breaking  the  cycles . . 

Proof  of  Lemma  38 . 

A  logical  query . 

Undecidable  query . 

Database  schema  and  logical  query . 


52 

52 

52 

52 

53 
53 
53 

53 

54 

54 

55 
55 
55 
55 
58 
62 
62 

63 

64 

64 

65 
67 

67 

68 
68 
69 
69 
71 
77 
81 
83 


IX 


Chapter  1 

Introduction 


This  thesis  proposes  a  new  model  for  data,  the  Logical  Data  Model  (LDM).  The  purpose  of  the  LDM  model 
is  to  combine  the  advantages  of  what  are  currently  the  principal  data  models.  Most  database  systems  are 
based  on  either  a  hierarchical  or  a  network  model  [COD71]  [ANS75]  [IBM78]  [Wie83]  [Dat81]  [U1182],  both 
of  which  describe  in  detail  how  the  data  is  stored  in  the  computer.  Because  of  this,  databases  based  on  these 
models  can  be  implemented  efficiently,  but  on  the  other  hand  they  are  awkward  to  use,  since  the  user  has 
to  be  aware  of  a  lot  of  details  about  the  physical  implementation. 

For  this  reason,  Codd  [Cod70]  introduced  the  relational  model.  In  the  relational  model,  the  user’s  view 
of  the  data  is  that  it  is  stored  in  tables,  and  he  does  not  have  to  be  aware  of  the  precise  details  of  the  physical 
implementation.  Codd  [Cod72]  defined  two  query  languages  on  relational  databases.  One  of  these  is  a  logical, 
i.e.,  non-procedural,  language,  which  is  used  to  specify  what  the  result  of  the  query  should  be,  without 
describing  explicitly  how  to  compute  it.  The  second  language  is  an  algebraic,  i.e.,  procedural,  language, 
equivalent  to  the  logical  language,  which  the  system  uses  to  answer  the  query.  These  query  languages  have 
a  unique  property  not  shared  by  network  and  hierarchical  database  management  systems:  The  result  of  a 
query  is  a  relation,  i.e.,  has  the  same  structure  as  the  data  in  the  original  database.  One  consequence  of 
this  property  is  that  the  same  language  can  be  used  for  view  definition,  and  another  consequence  is  that  the 
query  language  can  handle  complex  queries  by  breaking  them  up  into  simpler  sub  queries. 

The  relational  model  introduces  another  level  of  abstraction  between  the  physical  representation  of  the 
data  and  what  the  user  actually  sees.  As  a  result,  they  are  harder  to  implement  efficiently  than  network  and 
hierarchical  systems.  The  implementation  problems  have  by  now  been  solved,  to  a  large  extent  [Tod76]  [Zlo77] 
[SWKH76]  [A*76].  Besides  the  issue  of  efficiency,  however,  the  relational  model  has  another  disadvantage. 
By  forcing  the  data  to  have  a  flat  structure,  i.e.,  by  requiring  that  all  the  data  be  in  the  form  of  tables, 
some  of  the  semantics  of  the  data  is  lost  [Cod70]  [HM81]  [SS75]  [SS77a].  For  example,  if  there  is  a  natural 
connection  in  the  data  between  individual  objects  and  sets  of  objects  of  another  type,  we  lose  some  of  the 
structure  of  the  data  by  forcing  it  into  a  first  normal  form  relation  [JS82].  While  it  is  always  possible  in 
some  way  to  encode  the  information  in  a  relational  form,  this  is  not  always  the  most  natural  thing  to  do. 
As  another  example,  hierarchical  and  network  database  management  systems  have  the  ability  to  use  virtual 
records.  These  are  essentially  pointers  to  physical  records,  and  are  used  to  avoid  redundancy  in  the  database 
[U1182].  Update  anomalies  are  one  of  the  consequences  of  the  fact  that  the  relational  model  does  not  model 
virtual  records. 

The  logical  data  model  combines  the  advantages  of  both  approaches.  As  in  network  and  hierarchical 
databases,  the  data  has  more  structure  than  in  the  relational  model.  In  particular,  we  can  use  the  LDM 
model  to  model  cyclic  structures  and  virtual  records.  On  the  other  hand,  we  do  not  lose  the  advantages 
of  the  relational  model.  As  in  the  relational  model,  our  model  has  two  query  languages:  A  logical,  i.e., 
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non-procedural,  and  an  equivalent  algebraic,  i.e.,  procedural,  language.  These  languages  are  analogous  to 
the  relational  calculus  and  algebra,  and  have  the  novel  feature  that  not  only  can  they  access  a  non-flat  data 
structure,  e.g.,  a  hierarchy,  but  the  answers  they  produce  do  not  have  to  be  flat  either.  Thus,  the  language 
really  does  have  the  ability  to  restructure  data  and  not  only  to  retrieve  it. 

The  organization  of  the  thesis  is  as  follows.  Chapter  2  describes  some  related  work.  In  Chapter  3,  we 
give  an  informal  description  of  the  LDM  model.  We  show  how  to  map  various  data  models  into  the  logical 
data  model,  and  give  some  informal  examples  of  the  two  query  languages.  Chapter  4  contains  the  formal 
definitions  of  LDM  schemas  and  instances. 

In  the  following  two  chapters,  we  define  the  logical  query  language.  In  Chapter  5  we  define  a  logic  on 
LDM  schemas.  We  prove  various  results  about  the  logic,  including  the  fact  that  it  is  equivalent  to  a  certain 
first-order  logic.  We  also  give  a  proof  theory  for  the  logic,  and  some  complexity  results.  In  Chapter  6  we  use 
the  logic  to  define  a  logical  query  language.  We  also  discuss  when  a  logical  query  is  safe,  and  conclude  with 
some  complexity  results. 

In  Chapter  7  we  define  the  algebraic  query  language,  and  show  that  it  is  equivalent  to  the  logical  language. 
In  Chapter  8  we  investigate  the  role  of  cyclicity  in  database  schemas.  We  show  that  under  one  measure  of 
information  content,  cycles  are  unnecessary,  i.e.,  anything  that  can  be  represented  by  a  cyclic  schema  can 
also  be  represented  by  some  acyclic  schema.  We  conclude,  in  Chapter  9  with  some  directions  for  future  work. 


Chapter  2 

Previous  Work 


2.1.  Database  Logic 

Jacobs  [Jac79]  [Jac80]  [Jac82]  defined  what  he  called  “database  logic.”  Database  logic  is  a  mathematical 
model  of  databases  that  claims  to  generalize  the  relational,  network  and  hierarchical  models.  In  database 
logic,  a  database  schema  is  a  set  of  rules  of  the  form  Rj  =  (Rjl , . . . ,  Rjk).  An  instance  of  such  a  schema  is 
essentially  a  table,  in  which  the  entries  can  themselves  be  tables  rather  than  simple  attributes.  His  model  is 
a  natural  way  to  describe  a  hierarchy,  and  it  can  also  be  used  to  describe  a  network.  Jacobs  then  defines  a 
logical  query  language  on  database  schemas. 

His  model  has  various  shortcomings.  One,  relatively  minor,  is  that  the  representation  of  a  hierarchy 
does  not  allow  virtual  records.  A  more  serious  problem  is  how  he  handles  cyclicity.  He  allows  schemas  to 
contain  cycles,  but  explicitly  forbids  cycles  on  the  instance  level.  Besides  this,  he  also  has  an  unnecessarily 
complicated  definition  of  nesting  depth.  The  lack  of  cyclicity  in  instances  is  a  severe  restriction  on  the 
expressive  power  of  the  model. 

Another  shortcoming  of  his  model  is  the  definition  of  a  database  instance.  Since  instances  are  acyclic, 
he  is  able  to  construct  instances  bottom-up.  The  problem  is  that  his  definition  is  rather  complicated,  and 
as  the  users  views  of  the  data  consists  of  precisely  these  instances,  we  would  like  them  to  be  as  simple  as 
possible. 

Finally,  the  logic  is  not  first-order.  While  using  a  more  powerful  logic  does  increase  the  expressiveness 
of  the  logic,  it  also  makes  it  harder  to  handle  mathematically.  In  fact  the  query  language  turns  out  to  be 
too  powerful,  as  it  enables  one  to  write  queries  whose  result  is  not  computable  [Var83].  This  is  one  reason 
why  he  does  not  define  an  equivalent  algebraic  language,  and  therefore  his  model  contains  only  a  logical,  i.e., 
nonprocedural,  query  language. 


2.2.  The  Format  Model 

The  format  model  was  introduced  by  Hull  and  Yap  [HY82].  The  format  model  is  an  attempt  to  generalize 
the  relational  and  hierarchical  models.  A  database  schema,  or  format,  is  a  tree  with  labels.  The  leaves 
correspond  to  the  attributes  in  the  relational  model,  and  the  internal  nodes  represent  various  connections 
between  the  data. 

More  formally,  formats  are  made  from  fundamental  components,  called  basic  types,  and  three  construc¬ 
tors,  composition,  collection  and  classification.  A  format  is  a  tree  with  labels  assigned  to  the  nodes:  Basic 
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types  are  assigned  to  the  leaves,  and  the  other  constructors  are  assigned  to  the  internal  nodes.  The  notation 
they  use  is:  □  for  basic  types,  O  for  composition,  O  for  collection  and  Afor  classification. 

Each  basic  type  has  a  corresponding  domain,  i.e.,  a  set  of  values.  The  domains  of  the  internal  nodes  are 
defined  as  follows.  The  composition  constructor,  O,  is  similar  to  the  cartesian  product  in  the  relational 
model,  and  to  the  aggregation  of  [SS77a].  The  domain  of  a  node  of  type  di  is  the  cartesian  product  of  the 
domains  of  its  children.  The  second  constructor  is  classification,  A,  that  is  similar  to  the  generalization  of 
[SS77b].  The  domain  of  such  a  node  is  the  marked  union  of  the  domains  of  its  children.  Finally  collection, 
O,  is  used  to  specify  formation  of  sets  of  objects,  all  of  a  given  type.  Such  a  node  has  only  one  child,  and 
its  domain  is  the  set  of  all  finite  subsets  of  the  domain  of  the  child. 

An  instance  of  a  schema  consists  of  assigning  to  each  leaf  some  subset  of  the  corresponding  domain,  and 
to  each  internal  node  some  subset  of  the  domain  that  is  derived  by  the  above  rules. 

Their  motivation  for  introducing  the  format  model  was  different  from  ours.  They  wanted  to  investigate 
notions  of  relative  information  capacity  of  database  schemas,  i.e.,  whether  one  database  schema  is  more 
expressive  than  another.  For  that  reason,  they  did  not  define  a  query  language  on  their  model.  We  described 
their  model  here,  since  the  logical  data  model  is  based  on  their  structuring  of  data,  with  several  modifications. 
In  particular,  we  modified  the  format  model  to  allow  cyclic  structures,  and  thus  we  obtained  a  model  that 
is  a  true  generalization  of  the  network  and  hierarchical  models. 


2.3.  Non-First-Normal  Form  Relations 

The  relational  model  of  [Cod70]  restricts  the  relations  in  the  database  to  what  are  called  first-normal  form, 
or  normalized,  relations.  In  non-first-normal  form  the  components  of  a  tuple  in  a  relation  are  simple,  i.e. 
atomic,  objects,  without  any  further  structure.  Various  people,  among  them  Makinouchi  [Mak77],  Scheck 
and  Pistor  [SP82]  and  Kobayashi  [Kob80]  have  pointed  out  that  for  some  applications  such  as  picture  data 
processing  and  CAD  restricting  the  components  to  atomic  objects  is  too  restrictive  a  requirement. 

[Mak77]  and  [OY85]  discuss  how  to  extend  dependency  theory  and  normal  forms  to  non-first-normal  form 
relations.  [JS82],  [AB84]  and  [FK77]  define  algebras  for  such  relations.  One  consequence  of  our  work  will  be 
that  besides  generalizing  their  work,  we  also  get  a  logical,  non-procedural,  query  language  for  non-first-normal 
form  relations. 


2.4.  Non-Procedural  Query  Languages  for  the 
Network  Model 

Various  papers,  among  them  [MP82],  [Tsi76],  [Dat80]  and  [Gra79],  have  advocated  using  high-level 
languages  for  network  databases.  The  languages  they  describe  are  all  procedural.  [MP82]  and  [Tsi76] 
describe  what  is  essentially  a  relational  front  end  for  a  network  DBMS.  Date’s  model  [Dat80]  involves  explicit 
navigation  as  in  CODASYL,  and  [Gra79]  describes  some  ideas  for  automatic  navigation  using  “paths”  but 
does  not  describe  how  to  use  them  in  a  query  language. 

[Day 7 9] ,  [DB82]  and  [GDB82]  describe  NQUEL,  a  non-procedural  language  similar  to  QUEL  for  use  with 
network  databases.  The  result  of  an  NQUEL  query  is  a  relation,  but  there  is  also  an  NQUEL  view  definition 
language  that  creates  new  networks.  They  obtained  an  equivalent  procedural  language  by  mapping  the 
network  database  into  an  equivalent  relational  one  [Bor78]  [Kay75],  and  then  using  the  standard  relational 
theory.  Our  approach  differs  from  theirs  in  several  ways.  One  difference  is  that  the  logical  data  model  can 
handle  more  general  structures  then  NQUEL.  Another  difference  is  that  by  defining  the  query  languages 
directly  on  the  given  database  schema,  rather  than  through  mapping  them  into  the  relational  model,  we  get 
a  more  natural  query  language. 
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2.5.  Non-Procedural  Query  Languages  for  the 
Hierarchical  Model 

Hardgrave  in  [Har78]  looks  at  ways  to  define  a  non-procedural  query  language  on  hierarchical  databases. 
The  principal  idea  is  that  of  a  “broom,”  i.e.,  a  node  together  with  all  its  children  and  ancestors.  Brooms  in 
his  model  play  the  role  of  tuples  in  the  relational  model.  The  main  problem  he  investigates  is  how  to  handle 
conditions  on  the  tuples.  For  example,  if  u,  v  and  w  are  nodes  in  the  hierarchy,  and  the  query  is 

Print  u  where  v  =  c\  and  w  = 

do  we  mean  all  those  u’s  that  are  in  some  broom  with  v  =  Ci  and  w  =  C2,  or  all  those  u’s  that  are  in  some 
broom  with  v  =  ci  and  in  some  other  broom  with  w  =  c 2?  He  shows  that  there  are  four  different  approaches 
that  may  be  taken,  each  of  which  differs  from  the  others  for  some  queries.  Furthermore,  he  claims  that  users 
with  different  backgrounds  and  experience  may  expect  the  system  to  behave  according  to  different  ones  of 
these  approaches.  Our  query  language  does  not  make  any  of  these  assumptions  for  the  user,  but  can  be  used 
to  specify  explicitly  any  of  Hardgrave’s  query  languages. 

2.6.  Statistical  Databases 

Models  that  have  been  proposed  for  statistical  databases  such  as  SSDB  [0084]  and  GRASS  [BRR82]  [RR83] 
[RR84]  require  that  the  data  have  more  structure  than  the  relational  model  provides.  The  structuring  of  the 
data  is  similar  to  that  of  non-first-normal  form  relations  or  to  the  format  model  that  we  described  above, 
together  with  special  nodes  for  aggregation.  We  can  describe  the  structuring  of  data  in  these  models  using 
the  logical  data  model,  and  it  should  be  possible  to  extend  the  LDM  model  to  include  aggregation  operations. 


Chapter  3 

Introduction  to  the  Logical  Data 
Model 


3.1.  Data  Structuring  in  the  Logical  Data  Model 

The  logical  data  model  is  based  on  Hull  and  Yap’s  format  model  (see  Section  2.2).  A  database  schema  in  the 
format  model  is  a  labeled  tree.  Leaves  are  labeled  with  basic  types  (□)  that  correspond  to  attributes,  while 
internal  nodes,  labeled  O,  O  and  correspond  to  composition,  collection  and  classification,  respectively. 

As  we  mentioned  in  Section  2.2,  the  format  model  fails  to  model  an  important  part  of  network  and 
hierarchical  database  systems,  namely  the  ability  to  use  virtual  records.  To  model  this,  we  have  to  introduce 
cyclicity  into  the  database  schemas.  Our  first  idea  was  to  have  two  types  of  leaves:  Basic  types  and  pointer 
nodes ,  i.e.,  nodes  that  point  to  other  nodes  in  the  tree.  It  turned  out,  however,  that  what  we  wanted  to 
express  using  pointer  nodes  could  be  expressed  more  simply  if  we  use  directed  graphs  rather  than  trees  for 
the  underlying  schema. 

We  made  two  further  modifications  to  Hull  and  Yap’s  format  model  schemas,  both  relatively  minor.  We 
have  only  one  basic  type,  rather  than  several  different  ones.  For  our  purposes,  the  distinction  between  the 
domains  of  the  attributes  is  not  important  for  structuring  the  data.  In  order  to  keep  the  model  as  simple  as 
possible,  we  prefer  to  have  only  one  basic  type.  We  can  express  the  fact  that  the  values  of  some  attribute 
come  from  a  specific  domain  by  a  constraint  in  the  LDM  logic  that  we  shall  define  later.  In  contrast,  since 
Hull  and  Yap  were  interested  mainly  in  relative  information  capacity  of  different  database  schemas,  the 
distinction  between  different  basic  types  was  very  important  for  them. 

The  other  modification  we  made  to  the  format  model  was  to  use  multigraphs  rather  than  simple  directed 
graphs.  This  means  that  there  may  be  more  than  one  edge  between  two  nodes,  and  enables  different 
components  of  tuples  to  have  the  same  structure. 

Since  it  is  more  intuitive,  we  shall  continue  to  use  tree  terminology  when  referring  to  LDM  schemas.  In 
particular,  by  leaf  we  shall  mean  a  sink,  and  by  children  we  shall  mean  successors. 

In  short,  an  LDM  schema  is  a  labeled  directed  multigraph.  The  leaves  are  labeled  □  (basic  type).  The 
values  that  an  instance  of  such  a  node  can  have  are  elements  of  some  fixed  domain.  These  nodes  are  analogous 
to  attributes  in  the  relational  model.  Each  interior  node  is  labeled  with  one  of  the  following. 

1.  Composition,  written  O.  The  domain  of  such  a  node  is  the  cartesian  product  of  the  domains  of  its 
children. 

2.  Collection,  written  O.  The  domain  of  such  a  node  is  the  collection  of  all  finite  subsets  of  the  domain 
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of  its  child. 

3.  Classification,  written  A  The  domain  of  such  a  node  is  the  disjoint  union  of  the  domains  of  its 
children. 

In  the  next  three  subsections  we  show  how  to  represent  relational,  network  and  hierarchical  databases  in 
the  logical  data  model. 

3.1.1.  The  Relational  Model 


Person 

Parent 

Rehoboam 

Solomon 

Solomon 

David 

Solomon 

Batsheba 

David 

Jesse 

Figure  1:  The  Person-Parent  relation 


w 


Figure  2:  The  Person-Parent  relation  as  an 
LDM  schema 


Example  Is  In  most  of  the  examples  in  this  thesis  the  database  will  be  a  genealogy.  Fig.  1  shows  this 
database  as  a  relation,  together  with  the  data  in  it. 

The  LDM  schema  that  corresponds  to  it  is  shown  in  Fig.  2.  It  consists  of  two  nodes  u  and  v  of  type  □ 
that  correspond  to  the  Person  and  Parent  attributes  respectively,  and  one  node  w  of  type  O  that  contains 
pairs  of  related  attributes. 

For  the  moment,  an  instance  I  of  an  LDM  schema  will  be  an  assignment  to  each  node  u  of  a  set  I(u)  of 
values  from  the  corresponding  domain  (we  shall  modify  the  definition  of  an  instance  in  Section  3.1.4).  An 
instance  of  the  LDM  schema  corresponding  to  the  data  in  Fig.  1  consists  of  the  following  assignments: 

I(u)  =  {Rehoboam,  Solomon,  David} 

J(u)  =  {Solomon,  David,  Batsheb a,  Jesse} 

and 

I(w)  =  {(Rehoboam,  Solomon),  (Solomon,  David),  (Solomon,  Batsheba), 

(David,  Jesse)} 

In  general  any  relation  R  with  attributes  A\ ,  . . . ,  An  can  be  converted  into  an  LDM  schema  in  a  similar 
way.  The  corresponding  schema  will  have  one  O-node  for  P,  with  n  children  of  type  □ ,  one  corresponding 
to  each  attribute. 


3.1.2.  The  Network  Model 

Example  2:  The  genealogy  could  be  represented  by  the  network  in  Fig.  3.  In  this  network  there  are  two 
record  types,  Person  containing  the  names  of  the  people  in  the  database,  and  a  dummy  record  PP.  There 
are  two  links  (sets)  that  connect  each  dummy  record  to  a  person  and  his  parents. 

The  idea  behind  the  mapping  from  the  network  to  the  LDM  schema  in  Fig.  4  is  as  follows.  Each  record 
type  Ri  is  mapped  into  a  O-node  vr{.  For  each  field  of  Ri,  v Ri  has  a  child  of  type  □.  For  each  link  (set) 
in  the  network  with  Ri  as  a  member,  let  Rj  be  the  owner  of  the  link.  Then  vr-  is  a  child  of  vr-. 
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S~~\w 
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Figure  3:  The  genealogy  as  a  network 


Figure  4:  LDM  schema  corresponding  to 
Fig.  3 


In  Fig.  4,  w  is  vpp  and  v  is  vperson.  u  corresponds  to  the  field  of  the  Person  record,  i.e.,  the  person’s 
name,  and  the  two  arcs  from  w  to  v  correspond  to  the  two  links. 

If  the  network  had  the  same  contents  as  the  relation  in  Fig.  1,  the  corresponding  instance  of  the  LDM 
schema  in  Fig.  4  would  be 


and 


I(u)  =  {Rehoboam,  Solomon,  David,  Batsheba,  Jesse} 

J(u)  =  {(Rehoboam),  (Solomon),  (David),  (Batsheba),  (Jesse)} 

/(to)  =  {  ((Rehoboam), (Solomon)),  ((Solomon),  (David)), 

((Solomon),  (Batsheba)),  ((David),  (Jesse))  } 


3.1.3.  The  Hierarchical  Model 


Example  3:  Fig.  5  shows  a  hierarchical  representation  of  the  genealogy.  In  this  hierarchy,  each  Person 
record  is  related  to  the  linked  list  of  his  parents.  Even  though  the  hierarchical  model  uses  linked  lists,  this  is 
really  just  a  matter  of  the  implementation,  and  intuitively  the  user  should  see  only  the  connection  between 
a  person  and  the  set  of  his  parents.  We  therefore  map  each  record  type  Ri  into  a  £3-node  vRi  as  we  did  for 
the  network  model,  with  a  child  of  type  □  corresponding  to  each  of  its  fields.  However,  if  Ri  is  a  member 
of  the  link  (ifc,  Rj),  then  instead  of  connecting  vRi  to  vRj  directly,  we  connect  them  through  a  node  of  type 
°. 

Fig.  6  shows  the  LDM  schema  that  we  get  from  the  hierarchy  in  Fig.  5.  In  this  schema  Ui  is  vpersony  vi 
is  vparenty  ^2  and  V2  correspond  to  the  fields  of  these  records,  and  w  is  used  to  relate  Person  records  to  sets 
of  Parent  records. 

The  instance  of  Fig.  6  that  corresponds  to  the  data  in  the  relation  in  Fig.  1  is 

7(1x2)  =  {Rehoboam,  Solomon,  David} 

/(t?2)  =  {Solomon,  David,  Batsheba,  Jesse} 

I(yi)  =  {(Solomon),  (David),  (Batsheba),  (Jesse)} 

I(w)  =  {{(Solomon)},  {(David),  (Batsheba)},  {(Jesse)}} 


3.1.  DATA  STRUCTURING  IN  THE  LOGICAL  DATA  MODEL 


9 


Ml 


Figure  5:  The  genealogy  as  a  hierarchy  Figure  6:  LDM  schema  corresponding  to 

Fig.  5 

and 

I(%)  =  {(Rehoboam,  {(Solomon)})  (Solomon,  {(David),  (Batsheba)}) 

(David,  {(Jesse)})} 

Example  4:  In  practice  we  would  probably  not  use  the  hierarchy  of  Fig.  5  as  a  representation  of  the 
genealogy,  since  it  contains  a  lot  of  duplicated  information.  If  a  person  appears  in  the  database  as  both 
a  child  and  as  a  parent,  he  will  appear  in  both  the  Person  and  Parent  records.  For  this  reason,  we  would 
probably  use  a  hierarchy  with  virtual  records,  as  shown  in  Fig.  7.  The  corresponding  LDM  schema  is  then 
the  cyclic  schema  in  Fig.  8. 

If  the  contents  of  the  database  are  the  same  as  before,  the  corresponding  instance  of  the  LDM  schema  is 

I(u)  =  {Rehoboam,  Solomon,  David,  Batsheba,  Jesse} 

I(v)  =  {(Jesse,  0), 

(David,  {(Jesse,  0)}), 

(Batsheba,  0), 

(Solomon,  {(David,  {(Jesse,  0)}),  (Batsheba,  0)}), 

(Rehoboam,  {(Solomon,  {(David,  {(Jesse,  0)}),  (Batsheba,  0)})})} 

I(w)  =  {0,  {(Jesse,  0)}), 

{(David,  {(Jesse,  0)}),  (Batsheba,  0)}, 

{(Solomon,  {(David,  {(Jesse,  0)}),  (Batsheba,  0)})})} 


3.1.4.  Instances  of  LDM  Schemas 

As  we  see  in  Example  4,  when  the  schema  is  cyclic  and  the  nesting  depth  is  large  an  instance  can  be  rather 
complicated.  If  the  data  as  well  as  the  schema  was  cyclic,  then  the  nesting  depth  would  be  infinite  and  we 
would  not  be  able  to  write  the  instance  down  at  all.  This  is  similar  to  one  of  the  problems  with  Jacobs’ 
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Figure  7:  The  genealogy  as  a  hierarchy  with  Figure  8:  LDM  schema  corresponding  to 

virtual  records  Fig.  7 

database  logic.  The  mathematical  theory  we  develop  to  deal  with  this  problem  is  closely  related  to  the 
non  well-founded  sets  of  [Acz85].  Our  approach  to  defining  an  instance  of  a  schema  is  to  model  abstractly 
the  concept  of  memory  addresses  and  their  contents.  We  use  the  term  “1- values”  for  the  abstract  memory 
addresses,  and  the  term  “r- values”  for  their  contents.  An  instance  I  then  consists  of  two  parts 

1.  An  assignment  of  a  set  /(«)  of  1-values  (abstract  addresses)  to  each  node  u  of  the  schema. 

2.  An  assignment  of  an  r-value  r(/)  to  each  1-value  l  in  I(u). 

These  1-values  are  taken  from  a  fixed  set  L  which  will  usually  be  the  set  of  natural  numbers.  We  now  show 
what  some  of  the  instances  in  the  previous  examples  look  like  when  we  use  1- values  and  r- values. 

Example  5:  The  instance  of  the  schema  in  Example  1  consists  of  the  following  assignment  of  1-values  to 
nodes. 

I(u)  =  {1,2,3} 

I(v)  =  {4, 5, 6, 7} 

and 

I(w)  =  {8,9,10,11} 

We  then  assign  an  r-value  r(l)  to  each  of  these  1- values.  This  assignment  is  shown  in  Fig.  9. 

Example  6:  In  Fig.  10  we  show  the  instance  using  1- values  and  r- values  that  corresponds  to  the  instance 
of  Example  4.  Fig.  11  shows  the  links  between  the  1- values  and  their  r- values  pictorially. 


3.1,5.  The  Entity-Relationship  Model 

We  conclude  this  section  by  showing  how  the  logical  data  model  can  also  be  used  to  describe  data  structured 
by  the  Entity-Relationship  Model  of  [Che76]. 

To  map  an  entity-relationship  schema  into  an  LDM  schema,  we  represent  each  entity  type  as  a  □- 
node,  and  each  relationship  record  as  a  O-node.  A  1-1  arc  from  a  relationship  record  to  an  entity  type  is 
represented  by  an  edge  from  the  corresponding  dVnode  to  the  corresponding  O-node,  while  for  a  many  to 
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I(u) 


1 

r(/) 

T 

Rehoboam 

2 

Solomon 

3 

David 

I(v)  /(«) 


i 

K0 

/ 

r{l) 

4 

Solomon 

IT 

(1.4) 

5 

David 

9 

(2,5) 

6 

Batsheba 

10 

(2,6) 

7 

Jesse 

11 

(3,7) 

Figure  9:  Instance  of  the  LDM  schema  that  corresponds  to  a  relation 


I(u)  I(v)  /(to) 


/ 

KQ 

i 

r(/) 

l 

r(l) 

T 

Rehoboam 

IT 

(1,11) 

TT 

{7} 

2 

Solomon 

7 

(2,12) 

12 

{8,9} 

3 

David 

8 

(3,13) 

13 

{10} 

4 

Batsheba 

9 

(4,14) 

14 

0 

5 

Jesse 

10 

(5,14) 

Figure  10:  Instance  of  the  LDM  schema  that  corresponds  to  a  hierarchy 


one  arc  the  connection  is  through  a  O-node.  Figures  12  and  13  show  two  examples  of  entity-relationship 
database  schemas  from  [Che76],  together  with  the  corresponding  LDM  schemas. 


3.2.  Query  Languages 

In  this  section,  we  give  some  examples  of  logical  and  algebraic  queries  on  LDM  schemas.  All  these  examples 
are  of  queries  that  we  can  write  in  the  query  languages  that  we  shall  describe  later  on.  The  languages 
we  describe  later,  however,  are  more  formal,  and  therefore  harder  to  use.  The  analogous  situation  in  the 
relational  model,  is  the  comparison  between  Codd’s  tuple  calculus  and  languages  like  QUEL.  The  languages 
in  the  current  section  have  not  been  fully  developed,  and  we  describe  them  mainly  as  motivation  for  the 
formal  presentation  in  the  following  chapters.  In  all  the  examples  in  this  section,  the  database  schema  will 
be  the  LDM  representation  of  the  hierarchy,  i.e.,  the  schema  in  Fig.  14,  together  with  the  instance  in  Fig.  15. 


3.2.1.  The  Logical  Query  Language 

Both  the  logical  and  algebraic  query  languages  have  the  property  that  the  result  can  have  a  more  general 
structure  than  a  relation — in  fact  it  is  structured  according  to  some  LDM  schema  that  is  specified  as  part 
of  the  query.  A  query  consists  therefore  of  a  specification  of  the  nodes  of  the  query,  together  with  some 
QUEL-like  statements  specifying  the  contents  of  these  nodes. 
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Figure  11:  Pictorial  representation  of  the  instance  in  Fig.  10 


Example  7:  Our  first  query  adds  a  new  node  Par-Sol  of  type  O  with  child  Person  (see  Fig.  16).  This  node 
contains  the  set  of  parents  of  “Solomon.”  The  query  is 

type  ol  Par-Sol  is  (collect .Person) 

range  ol  t  is  PP 

range  ol  u  is  PP 

retrieve  S  into  Par-Sol 

where  S={u. Person} 

and  t  .Person=*  ‘Solomon*  9 

and  u  is  in  t. Parents. 

Example  8:  In  this  example,  we  show  how  to  restructure  the  database  in  the  form  shown  in  the  left  part 
of  Fig.  17.  We  first  copy  all  the  people  in  the  node  Person  into  the  node  Pers 

type  ol  Pers  is  basic 
range  ol  t  is  PP 
retrieve  t. Person  into  Pers 

The  node  Pars  then  contains  all  pairs  that  correspond  to  Person-Parent  pairs. 

type  ol  Pars  is  (composition, Pers , Pers) 
range  ol  t  is  PP 
range  ol  u  is  PP 

retrieve  (t . Person, u. Person)  into  Pars 
where  u  is  in  t. Parents. 


3.2.2.  The  Algebraic  Query  Language 

Example  9:  We  show  how  we  could  compute  the  query  of  Example  7  by  a  sequence  of  algebraic  operations. 
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Employee 


Figure  12:  Department- Employee  example 

1.  Select  those  elements  of  PP  whose  first  component  is  “Solomon,”  i.e.,  —  ^person—  “Solomon”^1*) 

(Fig.  18).  "  ^mon 

2.  Do  another  type  of  selection:  Select  those  sets  that  actually  appear  in  tuples  in  ti .  This  is  the  operation 

—  ^Parents  in^1)  (^S*  19). 

3.  We  now  have  almost  what  we  want,  the  only  difference  being  that  t2  contains  elements  of  PP  rather 
than  of  Person.  We  have  to  do  a  dereferencing  step,  i.e.,  project  onto  Person.  The  operation  is 

—  ^Person  (^2 )  (^6* 

The  entire  query  is  therefore 

n Person  ^Parents  in 0P( Person  =  “Solomon”  )(^P) 
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Proj -Worker 


Figure  13:  Project- Worker  example 


Person 


Figure  14:  LDM  Schema 


J(  Person)  7(PP)  /(Parents) 
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(2,12) 
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David 
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13 
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0 
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Jesse 
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(5, 14) 

Figure  15:  Instance  of  Fig.  14 
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Figure  17:  Another  example  of  a  logic: 
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Figure  18:  First  step  of  the  algebraic  query 


Figure  19:  Second  step  of  the  algebraic  query 


Chapter  4 

LDM  Schemas  and  Instances 


In  this  chapter  we  start  the  formal  description  of  the  logical  data  model.  We  define  the  two  basic  components 
of  the  model:  LDM  schemas,  that  describe  how  data  is  structured,  and  instances  of  these  schemas. 


4.1.  LDM  Schemas 

The  definition  of  a  schema  is  essentially  the  same  as  outlined  in  the  previous  chapter.  We  have  to  go  into 
several  technical  details  that  were  not  mentioned  there.  If  v  is  a  node  of  type  its  domain  consists  of 
tuples  formed  from  its  children.  For  this  to  be  meaningful  we  need  an  order  on  these  children.  Since  there 
may  be  more  than  one  edge  between  v  and  a  node  w ,  we  also  need  an  order  on  the  occurrences  of  w  in  these 
tuples,  so  that  what  we  really  need  is  an  order  on  all  the  edges  with  tail  v.  For  simplicity,  instead  of  using 
one  order  per  node  v  we  shall  use  a  total  order  on  all  the  edges  of  the  schema. 

Another  technical  detail  is  that  a  schema  includes  a  set  of  constants.  The  reason  for  this  is  that  we  want 
to  have  a  precise  analogy  between  schemas  and  instances,  on  the  one  hand,  and  logical  theories  and  models, 
on  the  other.  The  set  of  constants  plays  the  role  of  individual  constants  in  a  logical  theory. 

Definition  Is  A  schema  is  a  tuple  S  =  (V}  Ey  <,  /*,  C)  where: 

1.  (V,  E)  is  a  directed  multigraph. 

2.  <  is  a  total  order  on  E. 

3.  p  is  a  function  from  the  set  of  nodes  V  to  the  set  of  types  {  □ ,  O,  O,  A},  that  satisfies  the  following 
conditions  (see  Fig.  21) 

(a)  p(v)  =  □  iff  v  is  a  leaf. 

(b)  If  p(v)  =  O,  then  v  has  exactly  one  child. 

(c)  If  p(v)  =  A  then  the  children  of  v  are  distinct  nodes  (if  p(v)  =  O,  however,  there  can  be 
multiple  edges  from  v  to  a  node  w). 

4.  C  is  a  (possibly  empty)  set  of  constants. 

p(v)  is  called  the  type  of  v.  For  readability,  we  use  the  following  abbreviations 

1.  p(v)  =  (O,  iu)  is  an  abbreviation  for  “p(v)  =  O  and  its  child  is  w” 

2.  (a)  fi{v)  =  (O,  n)  is  an  abbreviation  for  a^(v)  =  O  and  v  has  n  children.” 
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Figure  21:  Nodes  in  LDM  schemas 


(b)  fi(v)  =  (O, v„)  is  an  abbreviation  for  “(jl(v)  =  O,  there  axe  exactly  n  edges  ex ,  . ..,  en 

with  tail  v,  these  edges  are  in  the  order  ei  <  •  •  •  <  e„  and  their  heads  are  «i,  . . . ,  v„.” 

3.  (a)  fi(v)  =  (A  n)  is  an  abbreviation  for  “n(v)  =  A  and  v  has  n  children.” 

(b)  n(v)  =  (A  n,  «i, . . . ,  vn)  is  an  abbreviation  for  >(v)  =  A  there  are  exactly  n  edges  ei,  . . . ,  e„ 

with  tail  v,  these  edges  are  in  the  order  ei  <  •  •  •  <  e„  and  their  heads  are  vit  ... ,  v„.” 

Some  other  abbreviations  that  we  shall  use  include  referring  to  elements  of  V  and  E  as  nodes  and  edges, 
respectively,  of  S,  and  referring  to  <  as  an  order  on  the  children  of  a  node  of  S.  We  shall  ignore  the  order 
<  when  it  is  clear  from  the  context,  and  we  shall  often  refer  to  a  schema  as  (V,  E,  //,,  C). 

As  we  outlined  in  the  previous  chapter,  one  part  of  a  query  on  an  LDM  schema  S  is  the  addition  of  some 
nodes  to  S.  We  formalize  this  as  follows 

Definition  2:  Let  S  =  (V,  E,  <,/x,  C)  be  a  schema.  S'  =  (V',  E',  <',  /i',  C)  is  an  extension  of  S  iff 

1.  V  C  V' 

2.  (a)  ECE' 

(b)  If  («i,t>2)  €  E'  —  E  then  iq  is  in  V' ,  i.e.  all  new  edges  are  either  between  new  nodes,  or  from  a 
new  node  to  a  node  in  V. 

3-  <'\ex.e=< 

4.  fj,1  |y=  n 

4,2.  Instances  of  LDM  Schemas 

Throughout  this  section  S  =  will  be  a  fixed  LDM  schema.  An  instance  of  S  consists  of  two 

parts:  An  assignment  of  a  set  of  objects  called  1-values  to  each  node  of  S,  and  an  assignment  of  an  object 
called  its  r- value  to  each  such  1- value. 

In  the  format  model  instances  are  constructed  recursively  from  the  leaves  up.  Since  our  model  allows 
cycles,  we  cannot  use  this  approach.  What  we  do  instead  is  define  when  a  given  object  I  is  an  instance. 

Definition  3:  An  instance  of  S  is  a  tuple  I  =  (7,  r,  /)  that  satisfies: 

1.  7  is  a  function  with  domain  V .  This  is  the  assignment  of  sets  of  1- values  to  nodes.  We  require  that 
I(v)  and  I(w)  be  disjoint  whenever  v  and  w  are  distinct  nodes  of  S. 

2.  r  is  a  mapping  with  domain  U *ey7(u),  i.e.,  from  the  set  of  all  the  Lvalues  that  are  in  the  instance. 
The  mapping  r  must  satisfy: 
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(a)  If  n(v)  =  (Q,n,u and  /  6  I(v),  then  r(l)  is  a  tuple  (h,...,ln)  such  that  for  each  t, 

1  <  i  <  n,  /<  is  an  element  of  /(?;,). 

(b)  If  p(v)  =  (O ,w)  and  l  €  I(v),  then  r(l)  is  a  subset  of  I(w). 

(c)  If  p(v)  =  and  *  €  /(«),  then  r(l)  €  J(t>i)  U  •••  U  I(v„). 

Note  that  in  general  there  is  no  constraint  on  the  range  of  r  on  nodes  of  type  □ . 

3.  /  is  a  function  with  domain  C.  For  each  c  G  C,  f(c)  is  the  interpretation  of  the  constant  c.  In  general 
there  is  no  constraint  on  the  range  of  / . 

If  l  is  in  Uvevl(v),  we  say  that  it  is  an  1-value  in  I,  and  r(/)  is  called  its  r-value.  The  set  U„6yr[J(u)]  is 
called  the  set  of  r- values  in  I. 

Definition  4:  A  Unite  instance  of  S  is  an  instance  I  =  (/,  r,  /)  of  S  such  that  for  each  node  v  of  S,  I(v)  is 
finite. 

In  practice,  except  for  the  reduction  to  first-order  logic  in  Sections  5.2  and  5.3,  we  shall  only  be  interested 
in  a  restricted  class  of  instances,  those  that  correspond  to  real  databases.  Such  an  instance  is  finite,  and 
the  instance  I(v)  of  each  node  v  is  a  set  of  natural  numbers.  For  a  given  database  schema,  there  is  also  a 
fixed  set  D  from  which  the  data  is  taken.  If  v  is  of  type  □  and  /  €  I(v),  r(l)  must  belong  to  the  set  D. 
Furthermore,  each  constant  c  G  C  must  also  belong  to  D,  and  we  do  not  distinguish  between  c  and  f(c).  In 
short,  after  Section  5.3  we  shall  talk  about  schemas  (V,E,n)  and  instances  (J,r),  where  all  the  1-values  are 
natural  numbers,  and  all  the  data  and  constants  are  taken  from  a  fixed  set  D. 

Definition  5:  Let  I  be  an  instance  of  the  schema  S,  and  let  v  be  a  node  of  S  of  type  (O,  n,v i,  — ,  vn)> 
Let  l  be  any  l-value  in  I(v).  If  1  <  i  <  n,  then  II ;(i)  will  be  the  ith  component  of  r(Z).  We  shall  also  use 
the  notation  TLVi(l)  for  this  component,  whenever  this  does  not  result  in  any  ambiguity. 

The  following  definition  is  related  to  when  we  can  compare  two  l-values,  i.e.,  if  v  and  w  are  nodes  of  S, 
li  G  I(v)  and  I2  G  J(uj),  is  it  possible  for  l\  and  I2  to  have  the  same  r-value? 

Definition  6:  We  say  that  two  nodes  v  and  w  in  a  schema  S  are  similar  iff  they  are  of  the  same  type  and 
have  the  same  children,  i.e.,  if  one  of  the  following  holds: 

1.  n(v)  =  ji(w)  =  □. 

2.  For  some  node  u,  fj,(v)  =  (jl(w  )  =  (0,u). 

3.  For  some  n  and  nodes  «i, . . . , un ,  fx{v)  =  m(^)  =  n» uh  •  •  •  > 

4.  For  some  n  and  nodes  u\ , . . . ,  uny  /J>(v)  =  m(^)  —  (^s  n>  uu  •  •  * , 

We  would  like  to  be  able  to  show  that  whenever  r(h)  =  r(/2)  for  some  /1  G  I(v)  and  l2  E  I(w),  then  v 
and  w  must  be  similar.  However,  this  may  not  be  true  for  v  or  w  of  type  □.  For  example  if  v )  —  □, 
since  there  is  no  constraint  on  the  range  of  the  function  r  on  I(v ),  the  r-value  of  l\  may  just  happen  to  have 
the  form  of  a  tuple  or  set  of  l-values.  The  logic  will  be  defined  in  such  a  way  that  we  shall  only  be  able  to 
compare  r-values  of  similar  nodes,  so  that  this  will  not  cause  any  problems. 

Let  S'  be  an  extension  of  S.  We  define  an  extension  of  I  to  an  instance  of  S'  as  follows. 

Definition  7:  Let  S'  be  an  extension  of  S,  and  let  I  =  (/,  r,  /)  be  an  instance  of  S.  We  say  that  an  instance 
I'  “  (/',  r',  f)  of  S'  is  an  extension  of  I  to  S'  iff 

1.  For  all  v  in  V,  I'(v)  =  I(v). 
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2.  If  v  is  a  node  of  S  and  l  G  I(v),  then  r'(l)  =  r(l). 

The  proof  of  the  following  lemma  is  straightforward. 

Lemma  1:  Let  S'  be  an  extension  of  S,  and  let  V  be  an  instance  of  S' .  Then  there  is  a  unique  instance  I 
of  S  such  that  I'  is  the  extension  of  I  to  S'.  This  instance  is  called  the  restriction  of  I'  to  S.  | 

We  conclude  this  chapter  with  a  definition  of  isomorphism.  Two  instances  will  be  isomorphic  if  they 
are  essentially  the  same,  i.e.,  if  they  differ  only  by  renaming  of  l-values.  As  we  shall  want  to  show  that  the 
result  of  a  query  is  well-defined  up  to  isomorphism,  we  give  a  stronger  definition  of  isomorphism.  Let  I  be 
an  instance  of  S,  let  S'  be  an  extension  of  S  and  let  Ii  and  I2  be  extensions  of  I  to  S'.  We  shall  say  that  lx 
and  I2  are  isomorphic  relative  to  S,  if  there  is  an  isomorphism  between  Ii  and  I2  that  leaves  the  elements 
of  I  fixed.  In  the  case  of  a  query,  this  will  mean  that  an  isomorphism  relative  to  the  database  leaves  the 
contents  of  the  database  fixed. 

Definition  8:  Let  S'  be  an  extension  of  S  and  let  I  =  (I,  r,  f)  be  an  instance  of  S.  Let  Ii  =  {Ji,rj)  and 
I2  =  {I 2 1  ^2)  be  two  extensions  of  I  to  S'.  We  say  that  Ii  and  I2  are  isomorphic  relative  to  S  iff  there  is  a 
mapping 

g:  u  U  *»(«) 

such  that 

1.  For  each  node  v  of  S',  g  maps  ii(t>)  onto 

2.  For  each  node  v  of  S,  g  is  the  identity  on  I(v). 

3.  If  v  is  a  node  of  S'  and  l  E  h(v),  then 

(a)  If  v  is  of  type  □,  then  r2(g(l))  =  ri(/). 

(b)  If  v  is  of  type  (Q,  n),  then 

ra(*(0)  =  ^(ni(ri(f))  ff(nn(n(/) 

(c)  If  v  is  of  type  A  then  r2(g(l))  =  g(ri(l)). 

(d)  If  v  is  of  type  O,  then  g[r2(l)]  =  ri[^(/)]. 

As  a  special  case  of  this  definition  we  get  the  definition  of  ordinary  isomorphism. 

Definition  9:  Let  Ii  =  (7i,ri)  and  I2  =  (I2,r2)  be  instances  of  S.  We  say  that  Ii  and  I2  are  isomorphic  iff 
they  are  isomorphic  relative  to  the  empty  schema,  i.e.,  the  schema  with  V  =  E  —  p  =  0. 
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5.1.  Definition  of  the  Logic 

In  this  chapter  we  define  the  LDM  logic.  Our  goal  is  to  define  a  logic  that  is  similar  to  the  relational  tuple 
calculus.  We  then  use  this  logic  as  part  of  the  logical  query  language.  As  the  logic  will  resemble  the  relational 
tuple  calculus,  we  can  also  use  it  to  specify  integrity  constraints  on  LDM  schemas,  and  to  define  views. 

Throughout  this  chapter  S  =  { V \  E ,  /x,  C)  will  be  a  fixed  schema,  and  I  =  (/,  r,  f)  will  be  a  fixed  instance 
of  S,  unless  mentioned  otherwise.  Each  variable  in  the  LDM  logic  has  a  fixed  sort ,  where  the  sorts  are  the 
elements  of  V .  The  sorts  restrict  the  possible  values  that  the  variable  may  have.  For  example,  if  x  is  a 
variable  of  sort  v  then  x  can  take  only  values  in  I(v).  The  analogue  to  this  in  the  relational  calculus  is 
a  tuple  variable  that  ranges  over  a  specific  relation.  We  shall  usually  write  a  variable  with  its  sort  as  a 
subscript,  e.g.,  xv.  Two  variables  with  different  subscripts  will  denote  distinct  variables,  so  that  xu  will  be  a 
different  variable  from  xv.  Even  though  variables  range  over  Lvalues,  we  shall  often  say  “the  l-value  of  xv ” 
instead  of  “the  value  of  xv”  and  “the  r- value  of  xv ”  when  what  we  really  mean  is  “the  r- value  of  the  value 
of  xv  ” 

Definition  10:  The  atomic  formulas  over  S  are  the  following: 

1.  xv  7r*  yW)  where  w  is  a  node  of  type  O  and  v  is  its  child. 

2.  xv  p  yWl  where  w  is  a  node  of  type  Z\and  v  is  one  of  its  children. 

3.  xv  €  yWl  where  w  is  of  type  (O,  u). 

4.  xv  =/  yv . 

5.  xv  =r  yWy  where  v  and  w  are  similar  nodes. 

6.  xv  =r  c,  where  c  is  an  element  of  C,  and  v  is  of  type  □ . 

The  atomic  formula  xv  rt  yw  means  that  the  1- value  of  xv  is  the  tth  component  of  the  r- value  of  yw . 
Note  that  we  have  to  mention  which  component  of  w  we  are  referring  to,  since  there  may  be  multiple  edges 
from  w  to  v.  However,  we  shall  also  write  xv  tv  yw  when  this  is  unambiguous.  xv  p  yw  means  that  the 
r- value  of  yw  is  xv.  Since  there  are  is  only  one  edge  from  iy  to  we  use  p  rather  than  pt.  xv  €  yw  means 
that  xv  is  a  member  of  the  r- value  of  yw . 

There  are  several  different  kinds  of  equality.  xv  =/  yv  means  that  the  1- values  of  xv  and  yv  are  equal. 
Since  /(v)  and  I(w)  are  disjoint  whenever  v  /  w,  the  logic  has  no  atomic  formula  of  the  form  xv  =/  yw 
for  v  ^  w.  xv  =r  yw  means  that  the  r-values  of  xv  and  yw  are  equal.  We  restrict  this  to  similar  nodes  to 
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prevent  us  from  comparing  r- values  of  □ -nodes  to  tuples  or  sets  of  1- values,  as  we  explained  near  the  end  of 
Chapter  4.  Finally,  the  atomic  formula  xv  =r  c  means  that  the  r- value  of  xv  is  equal  to  the  interpretation 
of  the  constant  c. 

By  the  way,  the  subscripted  r’s  in  the  fifth  and  the  sixth  cases  have  slightly  different  meanings.  The  first 
one  refers  to  the  r-value  of  both  sides,  and  the  second  just  to  the  left  side  of  the  formula.  We  decided  that 
the  slight  confusion  this  may  cause  was  preferable  to  using  a  more  cumbersome  notation  such  as  /=*,  r=r 
and 

Definition  11:  A  well-formed  LDM  formula  over  a  schema  S  is: 

1.  An  atomic  formula 

2.  <j>\  V  <f>2,  where  <f> i  and  <f> 2  are  well-formed  formulas. 

3.  -1^1,  where  <j>\  is  a  well-formed  formula. 

4.  (Vxv)<£  1,  where  <f>  1  is  a  well-formed  formula. 

The  free  variables  of  <j>  are  defined  in  the  same  way  as  in  first-order  logic. 

As  usual,  we  use  <f>i  A<f>2  as  an  abbreviation  for  and  (3xv)0  as  an  abbreviation  for  ->(Va 

We  also  use  <j>  1  =>  <f> 2  and  <f>  1  <£>  <f> 2  with  the  standard  meanings.  Another  useful  abbreviation  is  the  following. 

Definition  12:  “xv  =r  (xj^, . . . ,  xJJn)”  where  v  is  a  node  of  type  (O,  n,v  1, . . . ,  vn)  will  mean  “x^  xi  xv  A 

We  now  define  satisfaction  of  LDM  formulas.  Let  ^(x^ , . . . ,  x£n)  be  an  LDM  formula  whose  free  variables 
are  xjx,  . . . ,  x£n.  Let  Zj,  . . . ,  /n  be  an  assignment  of  1- values  to  the  free  variables  in  the  formula,  i.e.,  each 
li  is  a  member  of  the  corresponding  Ifa).  ...,/„)  will  mean  that  <f>  is  satisfied  by  lu  . .  .,/n  in  the 

instance  I.  When  I  is  clear  from  the  context,  we  shall  write  (=  instead  of  \=  j  . 

Definition  13:  Let  ^(xj^, . . . ,  x£n)  be  a  formula  with  free  variables  xj^ , . . . ,  x£n,  and  let  Z,  E  I(vi)  for  all  i , 

1  i  Then  [=  j  <^(Zi,  iff  the  following  hold: 

1.  If  <j>  is  x*  xt  ?/>,,  then  \=T  (x*  xt  x4)(Zi,  •••>*«)  iff  Z,  = 

2.  If  <f>  is  xi/>yj,,then  f= I  P  .  • . ,  Zn)  iff  h  =  r(lj). 

3.  If  <t>  is  xj  E  then  (=1  (4  €  ®J,)(Zlf .  iff  Z*  E  r(Zy). 

4.  If  <j>  is  xi  =/  xj,  then  |=j  (x*v  =,  xJ)(Zi ,...,Zn)  iff  Z*  =  Z,. 

5.  If  <j>  is  xi  =r  xi ,  then  |=l  (xi  =r  x>,)(Z1, . .  .,Zn)  iff  r(Z<)  =  r(Zy). 

6.  If  <\>  is  xi  =r  c,  then  ^=j  (x*w  =r  c)(Zi, . . . ,  Zn)  iff  r(Z<)  =  /(c). 

1=1  (^1  v  ^2)  iff  hi  4>i  or  hi  ^2- 

8.  |=  j  -1^  iff  |=  j  <f>  does  not  hold. 

9.  If  <f>  is  a  formula  with  free  variables  xjx , . . . ,  x£n ,  yw ,  then 

hi  ((Vyu,)^)(Zi,...,Zn)  iff  for  all  Z  E  I(w ),  |=j  </>(Zi, .  ..,Zn,Z) 

Definition  14:  An  LDM  constraint  or  sentence  is  an  LDM  formula  with  no  free  variables. 
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Definition  15:  A  constrained  schema  is  a  pair  (S,  <f>)y  where  S  is  a  schema  and  <f>  is  an  LDM  constraint  over 
S.  An  instance  of  (S,  <j>)  is  an  instance  I  of  S  that  satisfies  \=  j  <j). 

Definition  16:  Let  <f>  be  an  LDM  sentence.  We  say  that  an  instance  I  of  S  satisfies  <j>  iff  \=j  <f>  holds. 

Definition  17:  Let  S  be  a  set  of  LDM  sentences,  and  let  <f>  be  an  LDM  sentence.  We  say  that  E  [=  <f>  iff  for 
every  instance  I  of  S  that  satisfies  all  the  sentences  in  E,  \=i<f>  holds. 

Definition  18:  Let  (j)  be  an  LDM  sentence,  and  let  <f>  be  an  LDM  sentence.  We  say  that  <f>  is  valid  iff  for 
any  instance  I  of  S,  |=  j  <t>  holds. 

Example  10:  This  example  and  the  next  one  will  be  over  the  LDM  schema  of  Fig.  8  (page  10)  with  the 
instance  of  Fig.  10  (page  11).  The  LDM  formula  <f>(xUlyv)  =  (xu  yv)  says  that  the  l-value  of  xu  is  equal 
to  the  first  component  of  the  r-value  of  yv .  \=  j  <f>{luh)  holds  for  the  (luh)  pairs  (1, 7),  (2, 8),  (3, 9),  (4, 10), 
and  (5, 11). 

Example  11:  Let  us  see  how  to  write  a  constraint  that  says  that  each  1- value  of  u  is  related  to  exactly  one 
set  in  w.  So  for  example,  '8’  and  ‘9’  as  parents  of  ‘2’  must  be  in  one  set  rather  that  in  two  different  sets. 
The  constraint  is 

<f>  =  (Vicu)(Vt/J)(Vy^)(Vzi)(V2;^)  =r  (xUy  z^)  Ay„  —r  (^uj^)  zw  zw^j 

In  other  words,  each  1- value  in  u  (a?u)  has  at  most  one  1- value  in  w  and  z J)  associated  with  it.  This 
association  is  through  y\  and  y%. 

Note  that  this  constraint  says  that  each  Lvalue  in  u  is  associated  with  at  most  one  set  in  w ,  rather 
than  saying  that  each  person  in  the  database  is  associated  with  at  most  one  such  set.  There  could  still  be 
duplication  in  u,  e.g.,  two  1- values  with  the  r- value  “Solomon.”  One  way  to  prevent  this  would  be  through 
the  constraint 

=  (Vj?i)(Vxy)(a;^  =r  xu  =>  xu  —i  $u) 

The  following  lemma  shows  that  we  can  restrict  the  logic  without  reducing  its  power.  We  show  that 
there  is  no  need  for  atomic  formulas  that  compare  r-values  of  internal  nodes.  This  lemma  will  make  some 
subsequent  proofs  and  definitions  much  simpler. 

Lemma  2:  Let  ^(x^, . . . , sjj  be  an  LDM  formula  whose  free  variables  are  the  variables  x^y  ...,  a^. 
There  is  an  LDM  formula  ^(«Jlf . . .,  a#J  with  the  same  free  variables,  that  does  not  contain  any  atomic 
subformula  of  the  form  xu  =r  y„  with  p(v),  p(w)  £  □ .  This  formula  is  equivalent  to  4>,  i.e.,  for  all  instances 
I  of  S  and  all  h ,  . . . ,  ln ,  U  E  J(t* ),  |=  j  <f>{h  f ...,/«)  iff  N 1 V>(*i .  ■  ■  •  >  *»)• 

Proof:  The  proof  is  by  induction  on  the  size  of  <t>.  We  show  how  to  construct  if)  for  formulas  of  the  form 
xu  =r  yv ,  where  it  and  v  are  similar  and  not  of  type  □ .  The  result  will  then  follow  immediately. 

We  distinguish  between  the  possible  types  of  v  and  w. 

1.  If  u  and  v  are  of  type  (O,  tu),  then  t/>(;cu,  2A>)  will  be  (^zw){zw  E  xu  ^  zw  E  yv),  where  zw  is  some  new 
variable.  Let  I  be  an  instance  of  S.  Then 

(=1  (£u  =r  Vv)(hth)  <=>  r(h)  =  r(l2) 

For  all  l  in  I( w)y  l  E  r(li)  &  l  E  r(l2) 

1=1  ((V*.)(*»  E  xu  “O’  zw  E  J/u)^(^i>^2) 


and  therefore  <j>  &  ip  is  valid. 
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2.  If  u  and  v  are  of  type  (O,  n,w i, . . . ,  wn),  then  %ji(xu ,  yv)  will  be 

(Vz«u) ' ' '  0^4„)  ((4i  Ti  ^  4,  xi  Vv)  A  •  ■  •  A  (z£n  ;cu  o-  z£n  x„  y„)^ 

where  ,  . . . ,  z£n  are  n  different  new  variables.  Let  I  be  an  instance  of  S.  Then  [=  j  (xu  =r  yv)(h,l2) 
is  equivalent  to  r(l  i)  =  r(l2).  If  r(h)  =  (/J, and  r(l2)  =  (%,. r(h)  =  r(/2)  is  equivalent 
to  /j  =  1*2,  for  i  =  1,  . . . ,  n.  In  other  words,  for  each  such  i, 

(=i  ((V4X4.-  ^  4,- 


and  therefore  j  (xu  =r  2/v)(^i ,  ^2)  is  equivalent  to 

N  I  O^^toi  )  *  *  *  0^tun  )  ^tuj  ^1  XU  &  Ti  ) 


a  •  •  •  a  (z”n  t„  o  z2„  *v>  »„))  (L ,  h) 


i.e.,  <j>  <=>  ip  is  valid. 


3.  If  u  and  v  are  of  type  (A  Wi, . . . ,  wn),  then  ip(xUyyv)  will  be 

P  *«  A  P  Jfo)  V  •  •  V  (3*2  J(*SK  pxu  A  P  yv) 

where  2^ ,  . . . ,  zj£n  are  n  different  new  variables.  Let  I  be  an  instance  of  S.  Then  |=:  j  (a?u  =r  yv)(h,  /2) 
is  equivalent  to  r(l  1)  =  r(/2)  =  L  This  can  hold  only  if  for  some  i ,  1  <  i  <  n,  /  E  I(^)  in  which  case 


)(^ui  P  A  ^u,i  p  yv (/1 ,  /2) 


and  therefore  </><&  is  again  valid.  | 

From  now  on,  we  shall  assume  that  xu  =r  yv  can  appear  as  a  subformula  only  when  p(v)  —  p(w)  =  □ ,  as 
far  as  proofs  and  definitions  are  concerned.  We  shall  continue  to  use  the  more  general  form  when  convenient. 

The  proof  of  the  following  lemma,  that  says  that  satisfaction  is  preserved  under  isomorphism,  is  straight¬ 
forward. 


Lemma  3:  Let  S'  be  an  extension  of  S,  and  let  Ii  and  I2  be  extensions  of  I  to  S'.  Let  g  be  an  isomorphism 
from  Ii  to  I2  relative  to  S,  and  let  <j>(xli} . . . ,  $£n)  be  an  LDM  formula.  Then 

Nl^l.  •••>*»)<*  t=I3^(ffOl).  -»ff(/n))  I 

Lemma  4:  Let  <j>{ x , . . . ,  x”n)  be  an  LDM  formula  over  S  whose  free  variables  are  sc^ , . . . ,  x”n.  Let  I  be  a 
finite  instance  and  let  li  €  /(t»,  )  for  all  i}  1  <  i  <  n.  Then  |=  j  . . . ,  /„)  can  be  determined  effectively. 

Proof:  We  show  this  by  induction  on  the  size  of  the  formula.  For  atomic  formulas  testing  for  satisfaction 
is  straightforward.  Testing  for  disjunction  and  negation  is  also  clearly  effective.  For  quantification  we  make 
use  of  the  finiteness  of  I.  In  order  to  test  whether  f=  j  ((Vyw)^)(/i, . . . ,  /„),  we  test  whether  \=i<f>(h, . . . ,  /) 

for  each  /  in  the  finite  set  I(w).  | 
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5.2.  The  Relation  between  LDM  logic  and  First-Order  Logic 

In  this  section  we  shall  show  that  the  LDM  logic  is  essentially  first-order;  that  is,  it  is  compact  and  it  satisfies 
a  Lowenheim- Skolem  theorem.  We  shall  prove  this  by  reducing  LDM  logic  to  a  certain  many-sorted  first- 
order  logical  theory  with  equality.  We  mention  in  contrast  that  Jacobs5  database  logic  [Jac82]  is  inherently  a 
higher-order  logic  that  does  not  have  any  of  these  properties.  In  the  next  section,  we  shall  use  this  reduction 
to  develop  a  proof  theory  for  the  LDM-logic.  In  both  these  sections  we  shall  not  assume  that  instances  are 
finite,  or  make  any  of  the  other  assumptions  on  instances  that  we  mentioned  earlier. 

Let  L  be  an  LDM  logic  over  S.  We  construct  a  many-sorted  first  order  logic  with  equality  L'  as  follows. 
The  sorts  of  L'  are  V  U  {c},  i.e.,  we  have  a  sort  v  for  each  node  of  the  schema,  and  one  special  sort  c  that 
corresponds  to  the  domain  from  which  the  data  is  taken.  L'  has  variables  ranging  over  all  the  sorts,  except 
for  the  special  sort,  c  since  we  do  not  want  to  be  able  to  quantify  over  the  data  domain. 

The  relation  symbols  of  L'  are 

{€w\  w£V  and  p(w)  =  O}  U  {pw,v  |  tv  G  V,  p(w )  =  A  and  v  is  a  child  of  w} 

If  w  E  V  is  of  type  (O,  v)  then  Ew  is  a  binary  relation  symbol  between  elements  of  sorts  v  and  w .  pW}V  is 
also  a  binary  relation  between  these  sorts.  We  shall  use  infix  notation  for  binary  relations. 

The  function  symbols  of  1/  are 

{**,«  |  w  €  Vlfx(w)  =  (Q,n),  l<i<n}U{fw\w€  V)fJi(w)  =  □} 

The  function  symbol  t rW|i  is  from  sort  w  to  sort  v ,  where  v  is  the  ith  child  of  w.  We  shall  also  use  the  notation 
when  its  meaning  is  unambiguous.  The  function  symbol  fw  is  from  sort  w  to  sort  c.  Intuitively,  icWli 
maps  its  argument  to  its  ith  component,  and  fw  maps  its  argument  to  its  r-value,  which  is  a  data  element. 
The  reason  we  use  pW)V}  rather  than  a  function  symbol,  is  that  p  should  be  interpretated  as  a  function  from 
I(w)  to  the  union  of  the  instances  of  its  children,  whereas  in  first-order  logic  all  functions  are  to  exactly  one 
sort.  For  this  reason  we  use  a  relation  symbol  for  />,  and  we  shall  also  need  some  extra  axioms  for  1/  besides 
the  usual  logical  axioms.  Finally,  the  constants  of  L  (i.e.,  the  elements  of  C)  are  also  constants  of  I/,  of  sort 
c. 

The  logical  theory  L'  then  consists  of  the  standard  logical  axioms,  together  with  the  set  Ax(S)  of  axioms 
for  p.  Ax(S)  contains  the  following  axioms  for  each  node  w  of  S  that  is  of  type  (A  Vi, . . . ,  vn). 

1.  (V*«p ) ((3yit )(y£x  Pwiv1  *w)  v  •  •  •  v  (3# J(itfn  pWiVn 

2.  For  all  i  and  j  where  1  <  ij  <  n  and  i  ^  j,  (Vxw)  .)(yj, .  pW)Vi  %tv)  =>  /*»,«**»)) 

3.  For  all  i,  1  ^  i  ^  Pw,vi  A  ( yVi  Pw,vi  y)  ( Vvi  i 

Essentially  these  axioms  say  that  the  interpretation  of  p  is  a  function  from  7(u>)  to  I(vi)\J  •  *  *U  J(vn).  When 
we  use  the  symbol  f=  in  the  theory  L',  e.g.,  \=<f>,  we  shall  mean  that  every  model  of  E  and  Ax(S)  is  also 

a  model  of  <f>. 

We  now  define  two  mappings.  The  first,  F  (for  “First-order”)  will  map  formulas  and  instances  of  the 
LDM  logic  L  to  formulas  and  structures  of  L'.  The  second  mapping,  L  (for  “LDM”)  will  map  L'  to  L. 


5.2.1.  Mapping  LDM  Logic  into  First-Order  Logic 

We  first  show  how  to  map  LDM  formulas  into  first-order  formulas. 
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Definition  19:  Let  <t>  be  a  formula  of  L.  W.l.o.g.,  assume  that  it  is  in  the  form  of  Lemma  2  (page  24).  F(<j>) 
is  the  L'-formula  defined  as  follows. 

1.  F(x „  Tf  yw )  is  Xv  =  X w,t(j/w )• 

2.  F(xv  pyw)  is  xv  pw>v  yw. 

3.  F(xv  6  yw)  is  xv  €w  yw. 

4.  F(x„  =i  yv)  is  xv  =  yv. 

5.  F(xv  =r  yw)  is  fv(xv)  —  fw(yw),  where  v  and  w  are  both  of  type  □. 

6.  F(xv  =r  c )  is  fv(xv)  =  c. 

7.  F(<f>1A<h)  =  F(4>1)AF(<j>2). 

8.  F(-«f>)  =  —iF(<j>). 

9.  F((Vxv)4>)  =  (Vxv)F(<f>). 

We  now  map  an  instance  I  of  S  into  a  structure  F(I)  over  L'.  An  L'-structure  M  consists  of  an  assignment 
of  a  domain  to  each  sort  s,  an  assignment  of  a  function  to  each  function  symbol  g,  an  assignment 

of  a  relation  to  each  relation  symbol  R  and  an  interpretation  of  each  individual  constant  of  L'. 

Definition  20:  Let  I  =  ( I,r,f )  be  an  instance  of  S.  F(I)  is  the  following  L'-structure. 

1.  The  domain  corresponding  to  each  sort  v  of  L',  except  for  the  sort  c,  is  the  set  I(v).  Formally, 
df( I)(w)  =  *(«)• 

2-  DF(i)(c)  =  {/(c)  |  c  £  C}  U  {r(/)  |  l  €  I(v)  and  p(l)  =  □}.  This  means  that  the  domain  that 
corresponds  to  the  sort  c  consists  of  the  interpretation  of  all  the  logical  constants  and  of  all  the  data 
in  the  instance. 

3.  The  interpretation  of  7cWfi  is  the  function  that  maps  each  element  of  I(w)  to  the  com¬ 

ponent  of  its  r- value.  Formally,  (nw,i)F(i)(l)  =  IIi(/),  for  all  /  £  /(w). 

4.  The  interpretation  of  pWyV  is  the  relation 

(Pw,v)F( I)  =  {(/l.fe)  I  h  G  I(v),  l2  €  /(to)  and  h  =  r(/2)} 

5.  The  interpretation  of  fv  is  the  function  (fv)p^  that  maps  each  element  of  I(v)  to  its  r-value,  i.e., 
(•Mf( I)(0  =  r(0  f°r  ah  l  G  I(v).  Note  that  all  these  r-values  are  in  DF^(c)  by  2. 

6.  The  interpretation  of  where  w  is  of  type  (0,v)  is  the  relation 

(g«0f(I)  =  {(luh)  |  *i  G  /(v),/2  G  I(w)  and  lx  £  r(/2)j 

7.  The  interpretation  of  the  individual  constant  c  is  f(c).  This  is  in  by  2. 

This  definition  immediately  implies  the  following  lemma. 

Lemma  5:  |=iP^Ax(S)  | 

Theorem  6:  For  any  L-sentence  <j>,  j  <f>  F{<j>). 
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Proof:  The  proof  is  by  induction  on  the  size  of  ifr.  The  induction  hypothesis  is  as  follows.  If  , . . . ,  «Jn) 
is  an  L-formula  and  U  €  I(vi)  for  all  i,  1  <  i  <  n,  then 

N  I  V^l )  •  •  •  >  h)  &  N  F(I)  F(^)(/l  >  •  *  •  >  ^n) 

The  theorem  follows  immediately  by  taking  ip  =  <f>. 

For  atomic  formulas  the  proof  of  the  induction  hypothesis  is  straightforward.  For  example 

N  i  (®t>  yw)(Jvi^w)  &  tv  =  n<(/to) 

&  lv  — 

^  N  f(I)  =  nw>t(y«;))(^vi  iw) 

*0  N  F(I)  ^  j  ^tu) 

If  tp  is  either  t/qVV^  or  -iV’i  >  the  proof  is  easy.  Finally,  if  . . . ,  is  the  formula  (Vyt0)x(®ti1 » •  •  •  *  2/w)> 

then 

hi  ((Vito,  )x)0i.  •••»*«)  ^For  all/in  /(to),  hX  xOi . *n>0 

By  the  induction  hypothesis  and  the  definition  of 

For  all  l  in  F(I)  -^(x)(/ij  •  *  •» 

5.2.2.  Mapping  the  First-Order  Logic  into  LDM  Logic 

In  order  to  define  the  inverse  mapping  L  from  1/  to  L,  we  first  examine  the  form  of  atomic  formulas  in  the 
first-order  logic  I/.  Since  the  only  relation  symbols  in  1/  are  Eum  Pwtv  and  =:>  such  an  atomic  formula  must 
be  one  of  the  following. 

1.  t\  t2  where  w  is  of  type  (O,  v),  t\  is  of  sort  v  and  1 2  is  of  sort  w. 

2.  t\  pw,v  ^2  where  w  is  of  type  v  is  a  child  of  w,  t\  is  of  sort  v  and  t2  is  of  sort  w. 

3.  t\  =  t2  where  both  t\  and  t2  are  of  sort  w  for  some  w  in  V. 

4.  ti  =  t2  where  both  t\  and  t2  are  of  sort  c. 

Note  that  we  cannot  have  t\  €w  t2  or  t\  pWfV  t2  where  either  t\  or  t2  is  of  sort  c. 

We  first  introduce  some  notation.  Whenever  t  is  a  term  of  the  form 

*  *  *  fl’tin-i  ,Un-3  ^Un>«»-1  (^Un) 

we  shall  want  to  replace  it  by  a  variable  of  sort  u\.  For  this  purpose,  we  introduce  new  variables  zUl ,  . . ., 
zu~h  of  sort  ui,  u2,  . . .,  un_  1  respectively.  Qt  will  stand  for  the  sequence  of  quantifiers 

0t  =  (3O-(3*s:-\) 

and  ipt  wiH  say  that  z}tl ,  . . . ,  z*~} t  are  on  the  path  from  xUn ,  i.e., 

^2iul  )  A  *  *  *  A  ^Un^n-l^n)! 

Using  this  notation  we  define  L(<P)  for  an  atomic  IZ-formula  <p  as  follows. 
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1.  Since  the  result  of  each  fu  is  of  sort  c  and  there  are  no  function  symbols  from  sort  c,  whenever  <j>  is 
fa  or  tx  pWiV  t2y  the  only  possible  form  that  the  terms  tx  and  fa  can  have  is 

fa  =  ^uXiv^u2,Ui  *  * 

and 

(n  or  m  may  be  equal  to  0,  in  which  case  some  of  the  new  variables  are  not  needed.  It  should  be  obvious 
how  to  modify  the  definitions  in  this  case,  and  in  the  case  when  tx  or  fa  is  an  individual  constant.)  We 
now  define 

Hfa  Gu>  fa)  =  QtxQt2  (ifai  A  V>f3  A  (zv  €  zwfj 

where  zv  and  zw  are  the  new  variables  of  sorts  v  and  w  that  we  introduced. 

In  a  similar  way  L(tx  pWtV  t2)  is  defined  as  as 


QtxQt2  {^tx  A  ^ta  A  (zv  p  zu 


2.  When  <j>  is  tx  =  t2  where  tx  and  t2  are  of  sort  wy  tx  and  t2  must  be  of  the  form 


fa 


and 


fa  —  ^VXlW^V2tVX  ■ 


3. 


We  then  define 

L(fa  =  fa)  -  QtxQti  {i>tx  A  ipt2  A  (4  =i  4)) 

where  4  an^  4  are  the  two  new  variables  of  sort  w  that  we  introduced. 
When  <j>  is  t x  =  t2  where  tx  and  t2  are  of  sort  c,  tx  and  t2  must  have  the  form 

fa  —  /ui^Ua.Ui  *  •  * 


and 


fa  —  fvi^V2yVX  *  *  •  XUTO,t/m-.i 

Write  tx  =  fUl(fa)  and  fa  =  /Vl(<4).  We  then  define  L(tx  =  t2)  to  be 


Qt3Qtt  (V’ts  A  rpu  A  (4,  =r  zlS) 


Definition  21:  When  <f>  is  an  I/-formula,  L(<f>)  is  defined  as  follows. 

1.  If  <j>  is  an  atomic  formula  L(<j>)  is  defined  above. 

2.  L(<f>x  A  <f>2)  =  L((j>x)  A  L(<f>2). 

3.  L(- uf>)  —  -i L(<j>). 

4.  L({ixv)<t>)  =  (Vz,,  )£(<£).  The  fact  that  1/  has  no  variables  of  sort  c  is  necessary  to  guarantee  that  this 
is  an  L-formula. 

We  now  show  how  to  map  restructures  into  L-instances. 
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Definition  22:  Let  M  be  an  L'-structure  that  satisfies  Ax(S).  We  define  L(M)  =  yL(M)’rL(M)’fL(M)/ 
to  be  the  following  instance  of  S. 

1.  For  each  node  v  of  S,  is  the  domain  that  corresponds  to  the  sort  v,  i.e., 

2.  For  each  l  €  J(«),  r(l)  is  defined  as  follows: 

(a)  If  n(v)  =  □ ,  then  r(l )  =  (/„)m(0- 

(b)  If  /x(v)  =  (Q, n,vi,. v„ ),  then  r(l)  =  ((x„i()1)M(0,  •  •  • , (*«,» Jm(0) • 

(c)  If  n(v)  =  (O,  to),  then  r(/)  =  {/ 1 1  (G«)mO- 

(d)  If  —  (A  n,  v Un),  then  r(0  =  Z  where  Z  is  the  unique  element  of  I(v i)  U  *  •  •  U  I(vn)  such 
that  1  pw>Vi  l  for  some  i.  The  existence  and  uniqueness  of  Z  are  consequences  of  Ax(S). 

3.  For  each  cEC,  f(c)  is  the  interpretation  of  the  individual  constant  c  in  the  structure  M. 

Lemma  7:  L( M)  is  well  defined  and  is  an  instance  of  S.  | 

Theorem  8:  Let  M  be  an  L'-structure.  Then  for  any  L'-sentence  <£,  Nl(M) 

Proof:  The  induction  hypothesis  is  the  following.  If  is  an  L'-formula  with  free  variables 

xh>  -"xvn  and  U  €  f°r  a11  1  <  *  <  then 

N  M  ^(Zl )  •  *  *  >  Zn)  ^  N  L(M)  ^(V0(Zl  >  *  *  *>  Zn) 

Taking  =  <t>  completes  the  proof  of  the  theorem.  We  shall  show  the  inductive  proof  only  for  the  first  type 
of  atomic  formula  in  the  list  above.  The  proofs  for  the  other  cases  are  similar.  Once  we  know  that  the  result 
holds  for  atomic  formulas,  it  is  easy  to  show  that  it  holds  for  all  other  formulas. 

We  therefore  let  rl>(xU}yu/)  be  the  L'-formula  t\  Ew  t2  where  w  is  of  type  (0,v) 


and 


L(ti  Ew  h)  was  defined  as  QtxQt2{^tx  A  V>t3  A  (zv  E  zw))  where  and  zw  are  new  variables.  Let  Z  E  I(u) 
and  V  E  /(«').  Then  \=  M  (h  Ew  t2)(Z,  Z')  holds  iff 


nvnUl  •  *  •  nUn(Z)  (Eu>)m  Bh/Hu*  *  *  *  (z ) 

Let  lv  =  nvnui  ..-n un(l)  and  lw  =  11^11^/  * •  •  n«/m(Z').  Then  lv(Ew) and  therefore  lv  E  lw  By  their 
definition,  there  must  be  a  sequence  of  1- values  ZUl ,  . . . ,  ZUw,  Zuj ,  . . . ,  Zu/m  satisfying 

N  l(M)  ^  A  (Z« » ZUl , . . . ,  ZUn ,  Zty ,  zu/ , . . . ,  Z^  ,  Z,  Z ) 

This  implies  that 

NmV’(M')  ^  Ni(M)  AV’ts  a(z„  e  zw)^(i,i') 


and  therefore 


N  M  ^(Z>  Z  )  ^  (=  £,(M)  Z2)(Z,  Z )  | 


5.2.  THE  RELATION  BETWEEN  LDM  LOGIC  AND  FIRST-ORDER  LOGIC 
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5.2.3.  Consequences  of  the  Reduction 

It  follows  immediately  from  the  definitions  together  with  Lemma  5  that  L  and  F  are  inverse  mappings  on 
instances. 

Lemma  9: 

1.  If  I  =  (I,  r,  /)  is  an  instance  of  S,  then  L(F(I))  =  I. 

2.  If  M  is  an  L'-structure  that  satisfies  Ax(S),  then  F(L(M.))  =  M.  | 

As  functions  on  formulas,  <j>  and  ip  are  not  inverses,  since  F(L(<p))  may  be  a  different  sentence  from  <p. 
However  these  sentences  are  logically  equivalent. 

Lemma  10: 

1,  Let  <P  be  an  L-sentence.  Then  L(F(<p))  is  equivalent  in  L  to  <p. 

2.  Let  <p  be  an  L'-sentence.  Then  Ax(S)  b  ( F(L(<p ))  <p). 

Proof: 

1.  We  have  to  show  that  for  any  instance  I  of  S,  \=  j  (^<p  L(F(<p ))) .  By  Theorem  6,  (=  i  <p  is  equivalent  to 

N F(l)  and  by  Theorem  8,  |=  F(<p)  is  equivalent  to  \=  L(F(j^  L(F(<p)).  Finally,  by  Lemma  9, 

L(F(  I))  =  L 

2.  Let  M  be  an  L'-structure  satisfying  Ax(S).  By  Theorem  8,  ^  is  equivalent  to  f=  L(M)  L{<p). 

Theorem  6  implies  that  |=  L L(<p)  is  equivalent  to  |=  ^(L(<£))  and  by  Lemma  9,  F(L( M))  = 

M.  Therefore  F(L(<p))  is  equivalent  to  <p,  and  therefore  Ax(S)  b  (JF(L(^))  O  <p).  | 

Corollary  11:  (Validity)  Let  <p  be  an  LDM  sentence  over  S.  Then  <p  is  valid  if  and  only  if  Ax(S)  b  F(<p). 

Proof:  Assume  <p  is  valid.  Let  M  be  an  L'-structure  satisfying  Ax(S).  Since  <p  is  valid,  £,(M)  ®y 
Theorem  6,  |=f(L(M))  and  therefore  |=M  F((p).  This  shows  that  Ax(S)  b  The  proof  of  the 

converse  is  similar.  | 

Corollary  12:  (Compactness)  Let  E  be  a  set  of  LDM  sentences  over  S.  Then  E  is  satisfiable  iff  every 
finite  subset  of  E  is  satisfiable. 

Proof:  Let  F( E)  =  {F(o-)  |  a  E  E}.  If  I  satisfies  a  finite  subset  of  E,  then  by  Theorem  6  F( I)  will  satisfy 
the  corresponding  subset  of  F( E).  This  shows  that  every  finite  subset  of  F( E)  is  satisfiable  by  a  model  of 
Ax(S).  The  Compactness  Theorem  for  first-order  logic  then  implies  that  F(£)UAx(S)  is  satisfiable  by  some 
model  M.  By  Theorem  8,  all  the  sentences  in  L(^(E))  hold  in  L(M),  and  by  Lemma  10  the  sentences  in 
L(F(E))  are  logically  equivalent  to  those  in  E.  | 

Corollary  13:  (Lowenheim-Skolem)  Let  E  be  a  set  of  LDM-sentences  over  a  schema  S.  If  E  is  satisfiable, 
then  it  is  satisfiable  by  a  countable  instance. 

Proof:  The  proof  is  similar  to  the  proof  of  the  Compactness  Theorem,  together  with  the  observation  that 
the  mapping  L  preserves  the  cardinality  of  the  model.  | 

While  the  latter  two  corollaries  are  of  theoretical  interest,  the  Validity  Corollary  also  has  a  practical 
significance.  It  implies  that  together  with  the  appropriate  interface  we  can  use  a  standard  theorem-prover 
in  the  database  design  process  or  for  deductive  query  processing  [BBG78]  [MMSU81]  [NG78]  [Rei84]. 
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5.3.  A  Proof  Theory  for  LDM  Logic 

In  this  section  we  give  a  complete  set  of  axioms  and  derivation  rules  for  LDM  logic.  The  axioms  are  as 
follows. 

1.  All  instances  of  propositional  tautologies. 

2.  Logical  axioms,  as  in  first-order  logic. 

(a)  h  (Vxv)(<f>  =>  V>)  =>  ((V xv)<f>  (Vxv)ip) 

(b)  b  (Vxv)<f>(xv)  <t>(yv ),  where  yv  does  not  appear  bound  in  </>. 

3.  Equality  axioms  for  =/. 

(a)  b  —t  xv^) 

(b)  b  xv  =/  yv  =>  (<f>  =>  V0>  where  V>  is  obtained  from  </>  by  replacing  some  or  all  occurrences  of  xv  by 

y^ 

4.  Axioms  that  say  that  =r  is  an  equivalence  relation.  If  u,  v,  and  w  are  nodes  of  S  of  type  □ ,  then  the 
following  are  axioms. 

(a)  b  (xu  =r  £u) 

(b)  b  (&U  =r  Vv  Vv  =r  #u) 

(c)  b  (j?ti  =r  yv  A  yv  =r  —r  ^tu) 

5.  Axioms  for  O-nodes.  If  u  is  of  type  O  and  v  is  its  tih  child,  then  we  have  axioms  saying  that  each 
l-value  in  I(v)  has  a  unique  tih  projection. 

(a)  b  (Vxu)(3yv)(yv  xu)  (Existence). 

(b)  b  (Vxu)(Vyv)(Vzv)(yv  Tt  xu  A  irt  xu  ^  yv  =/  zv)  (Uniqueness). 

6.  Axioms  for  Anodes.  If  u  is  of  type  (A  n,  t>i, . . . ,  vn),  then  there  is  exactly  one  element  of  the  J(u;)>s 
that  corresponds  to  each  element  of  u . 

(a)  (Vx„)((3j/i1)(j/i1  p  xu)  V  •  •  •  V  (3 y?„)(y?n  P  *u))  (Existence). 

(b)  For  all  i,j  where  1  <  i,j  <  n  and  i  j, 

(V*u)((3yii)(yti  p  Xu)  =>  (Vyijhidj  p  *«)) 

(Uniqueness  of  the  node  among  the  children  of  it). 

(c)  For  all  i,  1  <  i  <  n, 

(Va:u)(Vyi.)(Vy2.)((yi.  p  xu)  A  (y*.  p  xu)  =>  (yj.  =»  y 2Vi)) 

(Uniqueness  in  that  child). 

The  derivation  rules  are  the  same  as  in  first-order  logic,  namely 
(MP)  From  I -  <j>  =$>  ip  and  h  <fi  we  can  infer  h  t/>. 

(Gen)  From  h  <f>  we  can  infer  h  (Va5«)^  for  any  sort  v  e  V. 
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We  use  the  standard  notation  for  implication.  Therefore  Eh^  means  that  <j>  follows  from  E  and  the 
above  axioms  and  derivation  rules.  We  now  show  that  this  is  a  complete  set  of  axioms. 

Theorem  14: 

E| =<{> 

Proof:  We  first  prove  that  Y\=<f>  <3-  F(E)f=  F(<j>).  If  E\=<f>,  and  M  is  a  model  of  F(E)  satisfying  Ax(S), 
then  L(M)  is  a  model  of  L(F( E)).  By  Lemma  10,  L(M)  satisfies  E,  and  therefore  satisfies  <f>.  But  then 
M  =  F(£(M))  satisfies  F(<f>)  by  Theorem  6.  The  proof  of  the  converse  is  similar. 

By  the  completeness  of  first-order  logic,  F(E)t=F(<£)  is  equivalent  to  F(E)  1-  F(<f>).  To  complete  the 
proof,  it  therefore  remains  to  show  that 


Eh^  F( E)  b  F(<f>) 

To  prove  that  Eh^  F(  E)  b  F{<f>),  we  show  that  each  axiom  of  the  LDM  logic  L  is  mapped  by  F  into 
a  theorem  of  L',  and  that  the  derivation  rules  are  mapped  into  valid  rules. 

It  is  easy  to  see  that  tautologies  are  mapped  to  tautologies.  The  other  logical  axioms  are  similar,  e.g., 

(V*,)(*  =>  VO  =>  ((Vzu)V  =>■  (Vx„)v>) 

is  mapped  by  F  into 

(Vxv)(f(J)  =>  F(V>))  =>  (( Vxv)F(<j> )  =»  (Vx„)F(V0) 

which  is  valid  in  first-order  logic. 

The  axioms  for  are  similarly  mapped  into  equality  axioms  of  first-order  logic.  As  for  the  axioms  for 
=r,  F(xu  =r  Vv  =>  yv  ~r  «u),  for  example,  is 

(fu(Xu)  =  fv(yv)  =>  fv(yv)  =  fu(x u)) 

which  is  clearly  valid. 

The  axioms  for  O  are  mapped  to  the  valid  LDM  sentences 


(yxu)(3yv)(yv  -  TUii(xu)) 

and 

(Vxu)(Vyv)(Vzv)(yv  —  7ru>,xu  A  zv  =  TUiixu  =>  yv  =  zv) 

and  the  axioms  for  A  are  mapped  into  axioms  in  Ax(S).  The  proof  that  the  derivation  rules  are  valid  is 
straightforward . 

We  shall  now  show  that  Eh^  L( E)  I-  L(<f>).  Once  this  holds,  we  then  have  F( E)  I-  <f>  =>  L{F( E))  b 
L(F{<t>)),  and  applying  Lemma  10  completes  the  proof. 

In  order  to  prove  this,  we  show  that  all  the  axioms  of  the  first-order  theory  V  are  mapped  by  L  into 
consequences  of  the  LDM  axioms,  and  that  the  derivation  rules  are  mapped  into  valid  derivation  rules.  For 
this  we  need  a  set  of  axioms  for  many-sorted  logic.  Such  a  set  of  axioms  consists  [Sch38]  of  the  standard 
first-order  axioms  with  the  obvious  restrictions  of  sorts  of  variables  and  terms. 

The  proof  for  the  derivation  rules  and  equality  axioms  is  straightforward.  It  is  also  straightforward  to 
show  that  the  axioms  in  Ax(S)  are  mapped  into  the  Aaxioms,  and  that  an  instance  of  the  logical  axiom 

b  (Vx„)(<j i>  =>  VO  =b  ((Vx„)<?i  =b  (Vx,,)^) 


is  mapped  into  the  corresponding  LDM  axiom. 
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The  remaining,  and  most  difficult,  case  is  the  logical  axiom 

1“  (Vzv)4>(vv)  =>  <t>W 

where  t  is  a  term  that  contains  no  variables  that  are  quantified  in  4>  by  a  quantifier  that  has  a  free  occurrence 
of  xv  in  its  range.  This  is  mapped  into  the  formula  H  (Vxv)L(<f>(xv))  =*  L(<j>(t)).  This  might  appear  to  be 
an  instance  of  the  corresponding  LDM  axiom,  but  it  is  not.  The  reason  for  this  is  that  substituting  t  and 
then  applying  L  does  not  give  the  same  formula  as  applying  L  and  then  substituting  t  for  xv. 

Let  ^  be  the  result  of  substituting  the  term  t  for  xv  in  We  shall  prove  that  (V«t,)(L(^))  =>>  L(<f>)  is  a 
theorem  of  LDM  logic  by  showing,  by  induction  on  the  size  of  </>,  that  the  stronger  assertion  (Vxv)(L(<f>))  => 
L( ~<}>)  =*>  (3 xv)(L{4>))  is  such  a  theorem.  The  proofs  of  all  of  the  cases  except  when  <t>  is  atomic  are  trivial. 
Note  that  the  second  implication  is  needed  for  the  proof  of  the  first  implication  to  go  through  in  the  case  of 
negation. 

For  the  case  when  <f>  is  atomic,  note  first  that  v  cannot  be  of  sort  c,  since  there  are  no  variables  of  this 
sort.  The  treatment  of  the  various  types  of  atomic  formulas  are  all  similar,  and  we  shall  prove  the  result  for 
the  case  when  <j>  is  the  formula  xv  E  yw.  t  must  be  a  term  of  the  form  tvtVi  •  •  -TVn(zu).  (Va^ )£(</>)  is  then 
the  formula 

(Vxt,)(a?t>  Etu  Vw) 

L(<f>)  is  the  formula 

(3a?v)(3xtJl )  •  *  •  (3xVn)(a?tJ  A  *  •  •  A  xVn  7rVn  zu  A  xv  Ew  Vw ) 

and  (3xv)L(<t>)  is  (3xt,)(xv  Ew  yw)<  Proving  the  induction  hypothesis  is  now  straightforward  since  the  LDM 
axioms  for  O-nodes  imply  that  for  each  zu  there  are  xVn}  . . . ,  xVl,  xv  satisfying 

^*t>  A  *  *  •  A  XVn  TTt )n  Zu)  | 

Corollary  15:  The  axiom  system  introduced  in  this  section  is  sound  and  complete  for  LDM  logic.  | 


5.4.  The  Complexity  of  Integrity  Checking 

From  now  on  we  consider  only  instances  that  correspond  to  real  databases.  In  other  words  all  instance  are 
finite,  all  1- values  are  natural  numbers,  all  r- values  in  nodes  of  type  □  are  from  a  fixed  set  D,  and  we  do  not 
distinguish  between  individual  constants  in  the  schemas  and  data  elements. 

In  this  section  we  investigate  the  complexity  of  checking  integrity  constraints.  The  integrity  constraints 
are  sentences  in  LDM-logic,  and  a  database  is  “legal”  if  and  only  if  it  satisfies  the  constraints.  Following 
[Var82],  we  use  two  measures  of  complexity,  data  complexity  and  expression  complexity.  Intuitively,  data 
complexity  is  the  complexity  of  testing  satisfaction  of  a  fixed  sentence  in  terms  of  the  size  of  the  database. 
Expression  complexity,  on  the  other  hand,  is  the  complexity  of  testing  satisfaction  of  sentences  on  a  fixed 
database  in  terms  of  the  length  of  the  sentences. 

More  formally,  the  data  complexity  of  LDM  logic  is  the  complexity  of  the  sets 

Gr( S,  <j>)  =  {I  1 1  is  an  instance  of  S  and  |=  j  <f>} 

where  <f>  is  a  sentence  over  S.  The  expression  complexity  of  LDM  logic  is  the  complexity  of  the  sets 

Gr'(S,T)  =  {<t>\\=14>} 

where  I  is  an  instance  of  S.  Note  that  Gr(S,  <j>)  is  a  set  of  instances,  while  Gr'(S,  I)  is  a  set  of  sentences. 
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Theorem  16: 

1.  For  every  sentence  <f>  over  S,  the  set  Gr(S,<f>)  is  in  LOGSPACE. 

2.  For  every  instance  I  of  S,  the  set  Gr'(S,I)  is  in  PSPACE. 

3.  There  is  a  schema  S  and  an  instance  I  of  S,  such  that  the  set  Gr'(S,  I)  is  logspace  complete  in  PSPACE. 
Proof: 

1.  We  have  to  test  whether,  for  a  fixed  sentence  <j> ,  ^  j  <f>.  Let  \I\  =  n  be  the  number  of  Lvalues  in  I,  and 
let  k  be  the  number  of  quantifiers  in  <f>.  In  order  to  test  whether  |=  j  we  have  to  test  all  possible 
assignments  of  values  to  these  variables,  of  which  there  are  at  most  nk.  If  we  cycle  through  these 
assignments  in  a  fixed,  say  lexicographic,  order,  we  can  do  this  in  space  O(fclogn)  =  O(logn).  For 
each  such  assignment  it  is  easy  to  see  that  testing  <f>  takes  constant  space. 

2.  As  in  the  previous  case,  we  can  test  |=  j  <j>  in  O(Hogn)  =  O(k)  space.  In  this  case  n  is  fixed  and  k, 
the  number  of  quantifiers  in  <£,  is  less  than  the  length  of  <f>. 

3.  We  shall  reduce  the  Quantified  Boolean  Formulas  (QBF)  of  [Sto77]  to  the  set  Gr'(S,I).  Let  S  be  the 
schema  consisting  of  the  single  node  u  of  type  □ .  Let  I  be  the  instance  of  S  with  I(u )  =  {1,2}  and 
r(l)  =  F,  r(2)  =  T.  If  Ef  =  ( Q\$\ )  •  •  -(QnXn)E  is  an  instance  of  QBF,  let  <j>(Ef)  be  the  LDM  formula 
that  we  get  by  replacing  each  literal  Xi  in  E  by  x'u  =r  T,  each  x*u  by  x =r  F,  and  each  quantifier 
(QiXi)  by  (QisJ,).  We  clearly  have  \<f>(E')\  ~  c|F'|,  and  also 

<j>(Ef)  E  Gr'(S,I)  |=j  (f>{El) 

There  exists  a  satisfying  truth  assignment  for  F'  | 

Thus  the  data  complexity  of  LDM  logic  is  LOGSPACE,  and  the  expression  complexity  of  LDM  logic  is 
PSPACE.  Since  analogous  results  hold  for  the  relational  model  [Var82] ,  we  see  that  integrity  checking  in  the 
logical  data  model  is  not  more  difficult  than  in  the  relational  model. 


Chapter  6 


The  Logical  Query  Language 


6.1.  Introduction 

In  this  chapter  we  use  the  LDM  logic  described  in  the  previous  chapter  to  define  a  non-procedural  query 
language  on  LDM  schemas.  This  language  will  be  analogous  to  the  tuple  calculus  in  the  relational  model.  As 
we  mentioned  earlier  non-procedural  languages  exist  for  the  relational  model  but  not  for  the  other  models, 
and  these  models  can  only  be  queried  through  various  procedural  languages.  For  the  rest  of  this  thesis  we 
consider  only  instances  that  correspond  to  real  databases.  In  other  words  all  instance  are  finite,  all  1- values 
are  natural  numbers,  all  r-values  in  nodes  of  type  □  are  from  a  fixed  set  D ,  and  we  do  not  distinguish 
between  individual  constants  in  the  schemas  and  data  elements.  Throughout  this  chapter  S  will  be  a  fixed 
schema.  Except  where  mentioned  otherwise,  I  will  be  a  fixed  instance  of  S. 

We  noted  one  major  difference  between  the  relational  model  and  other  models,  namely  that  the  result 
of  a  query  in  the  relational  model  has  the  same  structure  as  the  relations  in  the  database.  This  is  certainly 
not  true  of  most  of  the  other  data  models.  Whatever  the  result  of  a  query  on  a  hierarchical  database  is, 
using  the  standard  query  languages,  it  will  not  be  another  hierarchy.  Because  of  this  property  the  relational 
query  language  can  be  used  for  defining  views,  rather  than  requiring  a  separate  language  for  view  definition. 
Furthermore,  the  fact  that  the  result  of  a  query  has  the  same  structure  as  the  database  enables  us  to  express 
and  answer  complex  queries.  The  system  can  then  break  queries  up  into  simpler  sub  queries  and  answer  the 
simpler  queries  first. 

We  would  therefore  like  the  LDM  queries  to  have  a  structure  that  is  similar  to  that  of  the  database,  i.e., 
they  should  also  be  LDM  schemas.  Chapter  3  gives  some  idea  of  the  sort  of  queries  we  should  like  to  write. 

The  natural  analogue  to  the  relational  calculus  would  be  to  have  the  query  consist  of  an  LDM  formula 
<t>  containing  one  free  variable  for  each  query  node.  Intuitively,  we  should  select  all  objects  that  satisfy  the 
formula.  This  approach  turned  out  not  to  work  for  several  reasons.  One  was  the  difficulty  of  handling  cyclic 
queries,  while  the  other  was  what  to  do  with  nodes  of  type  O.  The  only  way  we  were  able  to  deal  with 
O  nodes  was  to  require  the  query  to  group  together  as  much  as  possible  in  each  set.  This  both  reduced 
the  expressive  power  of  such  nodes,  as  we  could  no  longer  relate  an  object  to  more  than  one  set,  and  also 
resulted  in  an  extremely  complicated  and  unintuitive  definition  of  the  result  of  the  query. 

Another  unsuccessful  approach,  using  a  closed  formula  <f>  is  described  in  Appendix  A.  The  successful 
approach  was  base  on  the  following  idea.  Suppose  the  query  added  just  one  node  u  to  the  schema.  Then  we 
could  use  a  formula  <j>u(xu)  with  one  free  variable  xu  of  sort  u  to  define  explicitly  what  the  contents  of  u  are 
in  terms  of  the  contents  of  the  database.  The  bound  variables  of  <f>u(xu)  therefore  can  range  over  nodes  of 
the  schema  S.  The  result  of  the  query  will  be  an  extension  of  I  such  that  u  contains  all  those  “objects”  that 
satisfy  (j> . 
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What  do  we  do  if  Q  adds  more  than  one  node  to  S?  We  decided  to  extend  this  approach  by  having 
one  formula  per  node.  Each  such  formula  will  define  the  result  at  its  node  in  terms  of  the  contents  of  the 
database  and  of  nodes  whose  result  has  already  been  constructed.  A  consequence  of  this  is  that  the  query 
schema  must  be  acyclic.  As  we  still  allow  the  database  schema  to  be  cyclic  and  only  prevent  the  user  from 
constructing  new  cycles  in  his  queries  we  do  not  think  that  this  is  too  serious  a  restriction. 


6.2.  The  LDM  Query  Language 

Definition  23:  Let  S  =  (F,  E,fj)  be  an  LDM  schema.  A  query  on  S  consists  of  a  tuple  Q  =  (Sq,  <J>q}  -<q) 
where 

1.  Sq  is  an  extension  of  S. 

2.  -<q  is  a  topological  order  on  the  nodes  in  Vq  —  V1  i.e.,  -<q  is  a  linear  order  such  that  if  v  is  a  child 
of  w  then  v  -<q  w. 

3.  $q  is  a  set  of  LDM  formulas,  one  for  each  node  v  in  Vq  -  V.  The  formula  <j>v  that  corresponds  to  the 
node  v  satisfies 

(a)  <f>v  has  only  one  free  variable,  and  it  is  of  sort  v. 

(b)  All  other  variables  in  </>v  are  bound.  Each  of  their  sorts  is  either  a  node  of  the  database  schema 
S  or  is  a  query  node  that  precedes  v  under  -<q. 

The  order  -<q  is  used  to  specify  the  order  in  which  we  define  the  result  of  the  query.  In  Section  6.4  we 
investigate  to  what  extent  we  can  do  without  this  order. 

Before  continuing  with  the  formal  details  we  give  several  examples  of  logical  queries.  The  database 
schema  in  these  examples  will  be  the  genealogy  schema  of  Fig.  8  (page  10).  The  instance  of  it  will  be  that 
shown  in  Fig.  10  (page  11). 

Example  12:  The  schema  of  Qi  is  shown  in  Fig.  22,  The  formula  </>«/(«„/)  is  (3yti)(xti/  =r  yu).  In  other 
words  we  want  I(u ')  to  be  a  copy  of  I(u).  We  eliminate,  however,  any  duplication  that  may  be  in  J(u).  The 
result  of  the  query1  is  shown  in  Fig.  23. 


Figure  22:  Schema  of  Qi 


1  In  all  these  examples,  the  result  is  defined  only  up  to  isomorphism  relative  to  S,  i.e.,  the  choice  of  1- values  is  arbitrary 
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J(u') 


l 

r(i) 

17 

Rehob oam 

18 

Solomon 

19 

David 

20 

Batsheba 

21 

Jesse 

Figure  23:  Result  of  Qi 


Example  13:  The  schema  of  Q2  is  shown  in  Fig.  24.  Q2  has  MM  always  true.  The  result  is  quite  large 
containing  26  =  64  elements,  the  1-values  17  to  80.  For  this  reason  we  do  not  show  it  here.  The  r-values  of 
these  1- values  are  all  the  subsets  of  I(u). 


Example  14:  The  schema  of  Q3  is  shown  Fig.  25.  We  want  v'  to  contain  the  set  of  parents  of  Solomon  and 
so  we  have  the  formulas 

MM  =  (3j/i)(3^)(34)(3^)(34)((yi  =r  M  A  (vl  =r  “Solomon”) 

Mzv  =r  (vl .  *»)) A  (zl e  **) A  (yi  *1 ZD) 

and  4>v*(xv*)  =  (Vyu/)(yti/  €  av). 

What  <£u/(av)  says  is  that  there  is  some  1-value  (yj|)  in  I(u)  with  the  r-value  “Solomon,”  and  another 
(yl)  with  r-value  equal  to  xui.  The  rest  of  the  formula  says  that  yl  is  a  parent  of  y£.  ^w'C*v)  says  that  I(vf) 
contains  all  the  1- values  in  I(uf)  in  one  set. 

The  result  of  the  query  is  shown  in  Fig.  26. 

Example  15:  The  schema  of  Q4  is  shown  in  Fig.  27.  We  want  to  restructure  the  hierarchy  as  a  relation, 
i.e.,  we  want  I(vf)  and  /(u/)  to  contain  all  the  names  of  people  that  are  in  the  database  and  I(uf)  to  connect 
people  to  their  parents. 

The  formulas  are 


(frvifav1)  —  (3yu)(iCu/  — r  Vu) 
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Figure  25:  Schema  of  Q3 


I(u')  I(v') 


/ 

r(/) 

i 

KQ 

17 

David 

19" 

{17,18} 

18 

Batsheba 

Figure  26:  Result  of  Q3 


—r  Vu) 


and 


M*.')  =  (3*i')(3^-)(3yi)(3^)(34)(3^2)(34)((^-  =r  y£)  A  (z2<  =r  y2) 

A(*i*  =r  (4'>  4'))  A  (4  =r  (yi,  4))  A  (y2  Ti  4)  A  (4  E  4)) 

The  result  of  the  query  is  shown  in  Fig.  28. 


We  now  formally  define  the  result  of  a  logical  query.  We  start  by  looking  at  queries  that  add  just  one 
node  to  the  schema.  We  shall  call  queries  like  this  simple  queries. 

Definition  24:  A  query  Q  is  called  a  simple  query  if  |Vq  -  vj  =  1.  We  shall  use  the  notation  Q„  for  a 
simple  query  that  has  Vq  —  V  =  {«}. 

Let  Q„  be  a  simple  query  on  a  schema  S  and  let  I  be  an  instance  of  S.  The  result  of  Q„  on  I  will  be 
an  extension  I„  of  I  to  S  q ^ .  In  order  to  define  T  we  have  to  define  what  is  and  what  the  r- values  of 
these  1- values  are.  It  should  contain  all  those  “objects”  that  satisfy  <j>v(x „).  The  problem  with  using  this  as  a 
definition  of  I„  is  that  4>v  (£v)  is  satisfied  by  I- values  and  since  lv  (v)  has  not  yet  been  defined  it  is  meaningless 
to  talk  about  the  objects  that  satisfy  <j>v.  It  might  seem  that  problem  is  trivial,  but  suppose  that  </>v(xv) 
included  the  conjunct  (Wyv)('izv)(ytl  =;  zv).  In  other  words  I(v)  can  contain  at  most  one  l-value.  If  the  rest 
of  4>v  allowed  several  possibilities  for  the  r- value  of  this  1- value  we  would  have  no  way  of  choosing  which  one 
would  be  in  the  result. 

What  enables  us  to  deal  with  this  problem  is  that  a  formula  like  this  is  not  allowed  in  our  query  language — 
all  bound  variables  in  our  language  must  refer  to  database  nodes  or  nodes  that  precede  v,  not  to  v  itself.  As 
a  result  of  this  restriction,  it  will  turn  out  that  although  <f>v  refers  to  l-values,  it  really  expresses  something 
about  their  r-values  alone.  This  will  enable  us  to  find  the  r-values  that  satisfy  <f>v  and  after  that  pick  the 
l-values  arbitrarily. 
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I(v')  I(w')  I(n') 


/ 

r(/) 

1 

r(0 

1 

r(/) 

17 

Rehoboam 

~22 

Rehoboam 

~27 

(17,23) 

18 

Solomon 

23 

Solomon 

28 

(18,24) 

19 

David 

24 

David 

29 

(18,25) 

20 

Batsheba 

25 

Batsheba 

30 

(19,26) 

21 

Jesse 

26 

Jesse 

Figure  28:  Result  of  Q4 


Definition  25:  Let  r  be  an  r-value  (i.e.,  anything  that  could  be  an  r- value  of  xv).  We  say  that  r  is  a 
candidate  r-value  for  v2  if  the  following  holds.  Let  /  be  some  new  1- value,  i.e.,  one  that  does  not  appear  in 
I.  Let  Iv  be  the  extension  of  I  to  Sqv  with  I(v)  =  {/}  and  r(Z)  =  r.  Then  \=:j<f>v(l). 

By  using  this  arbitrary  1- value  we  are  able  to  express  the  fact  that  r  is  one  of  objects  that  should  be  in 
the  result  of  the  query.  We  first  show  that  the  particular  choice  of  l-value  is  unimportant. 

Lemma  17:  Let  r  be  an  r-value  and  let  Ii  and  I2  be  two  extensions  of  I  to  Sqv  defined  by,  respectively, 
h(v)  =  {Zi},  ri(Zi)  =  r,  and  I2(v)  =  {/2},  r2(h)  =  r.  Then  (=I1^(Zi)  1=1 2Mh)- 

Proof:  By  definition  <j>v  has  only  one  free  variable  of  sort  v ,  i.e.,  the  variable  xv.  By  inspection,  we  can  see 
that  the  only  atomic  formulas  that  can  contain  xv  are  xw  x*  xv ,  xw  p  xv ,  xw  G  ,  xv  =r  d,  xv  =r  and 
xv  =1  xv.  The  last  of  these  is  always  true,  and  it  is  easy  to  see  that  the  truth  of  the  others  depends  only  on 
the  r-value  of  xv.  The  proof  is  then  a  straightforward  induction.  | 

We  now  define  the  result  of  Sqv-  Take  all  the  candidate  r- values  for  vf  pick  a  new  1- value  for  each  one 
of  them  and  put  all  of  these  1- values  into  Iv(y ).  For  now,  we  shall  assume  that  the  set  of  candidate  r- values 
is  finite.  Queries  with  this  property  will  correspond  to  the  safe  queries  in  the  relational  model.  In  the  next 
section  we  shall  look  at  this  issue  in  more  detail. 

Definition  26:  The  result  of  Qv  is  the  extension  Iv  of  I  to  Sqv  defined  as  follows.  Let  R  be  the  set  of  all 
the  candidate  r- values  for  v  and  let  {/r  |  r  G  R}  be  a  set  of  new  l-values,  i.e.,  ones  that  do  not  appear  in  I. 
We  then  define  Iv(v)  to  be  the  set  {/r  |  r  G  R}  and  define  r(/r)  =  r  for  each  r  G  R> 


2  Of  course  this  really  depends  on  Q  and  I  as  well,  but  these  should  be  clear  from  the  context. 
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We  now  show  that  this  definition  has  the  properties  we  want.  We  show  that  the  result  is  well  defined  (up 
to  isomorphism  relative  to  S,  and  assuming  finiteness),  that  everything  in  the  result  satisfies  <j>v  and  that 
we  cannot  add  anything  else  that  satisfies  <f>v  to  the  result  without  introducing  duplication.  Some  of  this 
formalizes  what  we  meant  when  we  said  that  <f>v  expresses  something  about  the  r-values  of  xv  rather  about 
than  their  1-values. 

We  first  state  a  lemma  which  we  shall  need  for  the  proof  of  Lemma  19.  The  proof  of  this  lemma  is  similar 
to  the  proof  of  Lemma  17. 

Lemma  18:  Let  Ix  be  an  extension  of  I  to  Sq.  Let  l  be  an  element  of  h(v)  and  let  I2  be  the  extension 
of  I  to  Sqv  defined  by  I2(«)  =  {/}  and  r2(/)  =  r\(l).  Then  | =  N=Ia^«(0*  ■ 

Lemma  19: 

1.  Let  Ii  and  I2  be  two  results  of  Q„ .  Then  Ii  and  I2  are  isomorphic  relative  to  S. 

2.  Let  I,  be  the  result  of  Sq  .  Then  for  each  l  in  Iv  (v),  |=  j  <f>v(l). 

Proof: 

1.  Let  Ii  and  I2  be  two  possible  results  of  Q  and  let  L  be  an  element  of  h(v).  Since  r(L)  is  a  candidate 
r-value  for  v  there  must  be  some  l2  in  I2(v)  with  r(l2)  =  r(/i).  Since  both  h(v)  and  I2(v)  have  no 
duplication  we  immediately  get  a  1-1  correspondence  between  the  l-values  of  Ii(v)  and  I2(v).  It  is 
easy  to  see  that  this  correspondence  is  an  isomorphism. 

2.  Let  /  be  an  arbitrary  element  of  Iv(v),  and  let  I*  =  be  the  extension  of  I  to  SQ  defined  by 

I*(v)  =  {/}  and  r*(/)  =  r(l).  By  Lemma  18 

\=lvMl)  &  \=I*4>v(l) 

Since  r(l)  is  a  candidate  r-value  for  v  we  can  extend  I  to  an  instance  I**  of  Sq  by  defining  I**(v)  = 
{/*♦},  r**(l**)  =  r(l),  for  some  new  Lvalue  /**.  We  then  have  (=t..  <£„(/**).  ByYemma  17, 
and  therefore  Nx^v(0-  ■ 

We  now  define  the  result  of  an  arbitrary  query  Q.  To  do  this,  we  first  define  composition  of  queries. 

Definition  27:  Let  Qi  be  a  query  and  let  Q2  be  a  query  on  Sq  .  Q2  o  Qx  is  the  query  on  S  that  we  get 
by  composing  them,  i.e.,  Q2  o  Qj  has  Sq30qi  =  Sq'3)  ^q20qi  =  $qi  U  <E>q2  and 

•^Q.oQ^^Q,  u  ^Q2  u  {(«.«>)  |  v  G  VQi,w  £  Vq2} 

Lemma  20:  Q2  o  Qx  is  a  query  on  S.  | 

Let  the  nodes  added  by  the  query  Q  be  Vq  -  V  =  {t>i, . . . ,  vn}  where  vv  -< - <  vn.  We  shall  define  a 

sequence  of  simple  queries  Qt  l ,  . . . ,  Q„n,  as  follows.  Each  QVj.  is  a  query  on  the  schema  of  Q„;i  and  adds 
the  node  v,  to  that  schema.  The  formula  for  v,  is  <j>„..  It  is  easy  to  see  that  Q  =  QVn  o  •  •  •  o  QVl  and  this 
enables  us  to  easily  define  the  result  of  Q. 

Definition  28:  The  result  of  the  query  Q  on  I  is  the  result  of  applying  the  queries  QVl ,  . . . ,  Qun  successively 
to  I. 

Lemma  21:  The  result  of  Q  is  well  defined,  i.e.,  different  choices  of  1- values  at  each  step  yield  isomorphic 
results. 
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Proof:  This  is  a  straightforward  application  of  the  first  part  of  Lemma  19.  | 

The  following  theorem  shows  that  the  result  of  the  query  has  the  desired  properties.  These  include  a  close 
relation  with  the  maximize  data  while  minimizing  duplication  approach  that  we  described  in  the  previous 
section. 

Theorem  22:  Let  Iq  be  the  result  of  the  query  Q  on  the  instance  I 

1.  Let  v  be  a  node  added  by  Q  and  let  /  be  an  element  of  I(v).  Then  | =lv<M0* 

2.  If  v  is  a  node  added  by  Q  and  h  and  h  are  two  different  1- values  in  I(v)  then  r(l i)  ^  r(/2).  In  other 
words  there  is  no  duplication  in  the  result. 

3.  Iv  is  a  maximal  extension  of  I  to  Sq  that  satisfies  1-2,  i.e.,  there  is  no  extension  IJj  with  /*(u)  2 
for  all  v  E  Vq  —  V  that  satisfies  1-2  and  such  that  for  at  least  one  v  the  inclusion  is  proper. 


Proof: 


1.  Let  Q*  be  the  query  o  •  *  •  o  QVl  where  v  =  v*  and  let  Iq*  be  the  result  of  Q*.  By  Lemma  19, 
1=  I  MV-  ft  ls  easy  to  see  t^iat  1  an  extension  °f  an  isomorphic  image  of  Iq  and  that  extending 

Iq  to  Sq  does  not  affect  the  satisfaction  of  <j>v . 


2.  Obvious. 


3.  Assume  that  such  an  I*  exists.  Let  v  =  Vk  be  the  first  of  the  nodes  «i,  . . . ,  vn  for  which  I*(v)  ^  /V(v) 
and  let  Q*  be  the  query  QVh  o  •  • .  o  QVl.  From  1  and  2  it  follows  immediately  that  both  Iv  and 
I J  restricted  to  Sq*  are  results  of  Q*.  Lemma  21  then  implies  that  IJ  and  Iv  are  isomorphic,  a 
contradiction.  | 


6.3.  Safe  Queries 

We  have  seen  that  provided  that  the  set  of  candidate  r- values  at  each  node  is  finite,  the  result  of  the  query 
is  well-defined.  It  remains  to  see  when  the  set  of  candidate  r- values  is  finite. 

Definition  29:  A  query  Q  on  a  schema  S  is  safe  if  for  every  instance  I  of  S,  the  set  of  candidate  r- values 
at  each  node,  under  the  construction  described  above,  is  finite. 

Note  that  as  we  are  considering  only  finite  instances,  this  is  the  same  as  requiring  that  the  query  have  a 
result  on  every  database  instance. 

Let  v  be  a  query  node,  i.e.,  an  element  of  Vq  —  V.  Assume  that  we  have  defined  the  result  of  Q  for 
all  those  nodes  that  precede  v .  If  n(v)  =  Q,  O  or  A  the  set  of  candidate  r-values  for  v  is  contained  in 
either  the  cartesian  product,  union  or  powerset  of  the  instance(s)  of  its  child(ren)  and  therefore  must  be 
finite.  The  only  case  when  it  may  be  infinite  is  when  fi(v)  =  □.  If  the  domain  D  of  data  is  finite,  then 
all  queries  are  safe,  since  the  set  of  candidate  r-values  for  nodes  of  type  □  is  a  subset  of  D.  We  therefore 
assume  throughout  this  section  that  D  is  infinite. 

Lemma  23:  Q  is  safe  on  I  iff  for  every  query  node  of  type  □  the  set  of  candidate  r-values  for  v  is  finite.  | 

We  give  two  examples  using  the  database  and  query  schema  shown  in  Fig.  22  (page  37)  and  the  database 
instance  shown  in  Fig.  10  (page  11). 
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Example  16:  <f>u'(xut)  is  (3j/u)(a?u/  =r  t/„)  V  {xu>  =r  “Absalom”).  This  query  is  safe  since  the  set  of 
candidate  r- values  is  R  —  {  Jesse,  David,  Batsheba,  Solomon,  Rehoboam,  Absalom}. 

Example  17:  <j>u'(xu*)  is  (zu/  “David”).  This  query  is  unsafe  since  the  set  of  candidate  r- values  is 
R  =  D  —  {David},  an  infinite  set. 

As  we  have  pointed  out  above,  testing  whether  a  relational  query  is  safe  is  undecidable.  As  we  can  reduce 
testing  safety  of  relational  queries  to  testing  safety  of  LDM  queries  there  cannot  be  a  decision  procedure 
that  tells  us  whether  an  query  is  safe  on  all  database  instances. 

We  give,  however,  a  decision  procedure  for  safety  on  fixed  instances.  Let  I  be  a  fixed  instance  of  S  and 
let  Q  be  a  query  on  S. 

Lemma  24:  Let  wXl . . . ,  wn  be  all  of  the  nodes  in  the  schema  S  that  are  of  type  □  and  let  {dx, . . . ,  d*}  be 
the  constants  that  occur  in  any  of  the  query  formulas.  Q  is  safe  on  I  iff  for  each  query  node  v  of  type  □ , 
every  candidate  r- value  for  v  is  either  a)  the  r- value  of  an  element  of  some  /(to,)  or  b)  one  of  the  d/s. 

Proof:  One  direction  is  obvious — if  this  condition  holds  then  Q  is  safe  on  I.  We  prove  the  converse  by 
induction  on  the  query  nodes  Vq  -  V  =  {^i, . . .,  vn]  where  vx  •  •  •  X  vn.  Let  v  =  Vi  be  a  query  node  of 

type  □ .  We  assume  that  the  lemma  holds  for  the  nodes  that  precede  and  that  the  query  is  safe  on  I.  Let 
Ii_i  be  the  result  of  QVi_1. 

Since  Qv  is  safe  on  I  the  set  of  candidate  r-values  for  v  is  a  finite  set  R.  We  have  to  show  that 

J2C  ,<fc}U  |J  /(«,) 

fi(w)  =  □ 
w  G  V 

Call  the  right  hand  of  this  equation  S.  If  the  lemma  is  false,  then  there  is  some  element  r  in  R  —  S.  By  the 
induction  hypothesis 

S=  {di,.  ..,d*}U  Ji_i(t£f) 

fi(w)  =  □ 
w  GV  or 
w  G  Vq  ,  w  v 

Since  r  is  a  candidate  r- value  for  v,  if  we  extend  I*_i  to  an  instance  1}  of  Sq  by  defining  I}(v)  =  {/}  and 
ri(0  =  r,  we  have  (=ji <£„(/).  Let  r'  be  an  arbitrary  element  of  D  -  S,  and  extend  Ij_i  to  an  instance  tf 

°f  ^Qv  bY  defining  lf(v)  =  {/}  and  r2(l)  =  r;.  Since  r  and  rf  do  not  appear  in  the  database,  previously 
constructed  nodes,  or  in  the  query  formulas,  an  induction  shows  that 

t=i2^v(0 

The  key  point  in  the  induction  is  that  xv  can  occur  in  <f>v(xv)  only  in  atomic  formulas  of  the  form  xv  =r  dj 
and  xv  =r  yw ,  where  w  is  a  node  of  type  □  that  is  either  in  V  or  is  one  of  the  nodes  vx ,  . . . ,  The  only 
other  atomic  formulas  that  can  involve  xv  are  xv  =/  xv  and  xv  ~r  xV)  and  these  are  always  true.  All  these 
formulas  are  false  whenever  the  r~ value  of  xv  is  not  in  S. 

We  have  therefore  shown  that  all  the  elements  of  the  infinite  set  D  -  S  are  candidate  r-values,  a  contradic¬ 
tion.  | 

The  technique  of  this  proof  gives  us  an  effective  procedure  for  determining  whether  the  simple  query  Qv 
is  safe  on  the  instance  I.  Take  some  constant  do  that  does  not  occur  anywhere  in  the  database  or  in  the 
query  formulas.  Test  if  do  is  a  candidate  r-value  (it  is  not  difficult  to  see  that  this  can  be  done  effectively). 
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In  a  similar  way  to  the  proof  of  the  above  lemma,  we  can  show  that  Q„  is  safe  on  I  iff  do  is  not  a  candidate 
r- value  for  v.  Intuitively,  if  some  such  d0  is  in  the  result,  the  result  is  infinite  since  d0  cannot  be  distinguished 
from  any  other  such  constant. 

Combining  this  result  with  those  of  the  previous  section  we  get: 

Theorem  25:  Let  Q  be  a  query  on  S  and  let  I  be  an  instance  of  S.  There  is  a  decision  procedure  to  test 
whether  Q  is  safe  on  I.  If  Q  is  safe  on  I  then  the  result  can  be  computed  effectively.  | 

Even  though  testing  for  safety  and  computing  the  result  can  be  done  effectively,  it  can  still  be  NP-hard 
to  do  so,  as  we  shall  see  in  Section6.5. 


6.4.  Ordering  the  Nodes  in  a  Query 

We  now  examine  more  closely  the  role  of  the  topological  order  in  an  LDM  query.  It  might  seem  at  first 
that  we  can  relax  the  requirement.  If  each  <f>v  referred  only  to  database  nodes  and  to  descendants  of  v,  we 
could  evaluate  the  query  “bottom-up”  without  having  to  specify  explicitly  the  evaluation  order  as  part  of 
the  query. 

Let  us  call  the  query  language  we  would  then  get  the  bottom-up  query  language.  The  reason  we  prefer 
the  LDM  query  language  to  the  bottom-up  query  language  is  that  the  bottom-up  language  is  not  closed 
under  composition. 

The  reason  it  is  not  is  as  follows.  Let  Q2  be  a  query  on  the  result  of  Qi.  Then  the  formula  for  a  node 
v  in  Q2  can  refer  to  a  node  u  in  Qi  that  is  not  a  descendant  of  v.  This  by  itself  does  not  necessarily  mean 
that  the  language  is  not  closed  under  composition — we  might  be  able  to  rewrite  the  formula  <j>v  to  get  an 
equivalent  query  that  does  not  refer  to  u .  For  example,  if  u  is  of  type  O  we  can  rewrite  <f>v  to  refer  only  to 
the  descendants  of  u.  We  now  show  that  if  u  is  of  type  O  this  cannot  always  we  done. 

Theorem  26:  The  bottom-up  query  language  is  not  closed  under  composition. 

Proof:  The  database  schema  S  consists  of  the  node  v  in  Fig.  29.  Qi  adds  the  nodes  u  and  w ,  and  Q2  adds 
the  node  t  to  the  result  of  Qi. 


i _ j 


Figure  29:  Query  used  in  the  proof  of  Theorem  26 

The  outline  of  the  proof  is  as  follows.  We  first  show  how  by  a  suitable  definition  of  Qi  and  Q2  we  can 
get  I(t)  to  contain  copies  of  exactly  those  r-values  in  I(v)  that  occur  with  the  most  duplication.  If  there 
were  a  bottom-up  query  equivalent  to  Q2  o  Qi,  it  would  have  to  define  I(t)  in  terms  of  database  nodes  and 
descendants  oft,  i.e.  in  terms  of  I(v),  alone.  In  the  second  part  of  the  proof  we  show  that  this  cannot  be 
done. 
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Let  I  be  an  instance  of  S  and  let  d\,  . . . ,  <Z*  be  all  the  different  r-values  that  occur  in  I(v).  Write  I(v) 
in  the  form 

{!{, .. 


where  r(Zj)  =  dj.  In  other  words,  group  the  Lvalues  in  I(v)  by  their  r-values. 

We  define  Qi  and  Q2  by  giving  the  formulas  <j>w,  <fiu  and  <j>t ,  and  we  show  what  the  results  of  the  queries 
are.  <f>u i(xw)  is  the  formula  (xw  —j  xw )  (or  any  other  tautology).  The  result  is  simply  the  cross-product  of 
I(v)  with  itself,  i.e.,  the  candidate  r-values  for  v  are  {(/i,J2)  I  h,h  G  /(«)}• 

<f>u(%u)  is  the  formula 


(3»S)(3i£)((#S  #r  yl) 

A  (3ztu)^tu  G  %u  A  zw  =r  (y^y^)^ 

A  (Vy®)(V^)(Vzro)(zw  E  xu  A  zw  =r  (yl,yt)  =>  yl  =r  y\  A  yt  =r  yl) 

A  (VziXVzJ )(Vyl)(z*  G  xu  Azl  e  xu  Ay%  zl  Ay%  zl  =>  z^  =,  z*) 

A  (VyjJ)^yjJ  —r  yl  (3zw)(zw  E  %u  A  y%  Ti  zw)^j 
A  (V4)(V4)(V^)(Vy^(Vyv5)(zi  E  xu  A  z^  £  A  zj,  =r  (y3,^) 

a  *1  —r  (y?,yjj)  =>  yt  =i  yl)) 

I(u)  contains  essentially  all  1-1  functions  from  sets  of  the  form  {Zf , . . . ,  Zfa}  into  {Zj, . . . ,  Z,^}  where  a  b. 
More  precisely,  the  candidate  r-values  for  u  are  those  R  C  I(w)  for  which  the  set  r*  =  {r(Z)  |  Z  £  .ft}  is  such 
a  function. 

Let  R  be  a  candidate  r-value  and  define  r*  as  above.  Let  /  be  a  new  Lvalue,  and  extend  I  to  the  node  u 
by  defining  I(u)  =  {Z}  and  r(Z)  =  ft.  Then  |=j  ^U(Z).  Let  li  and  lj  be  l-values  in  I(v)  that  correspond  to  the 
first  two  existential  quantifiers  in  <j>u.  By  the  first  conjunct  a  ±  b.  By  the  second  conjunct  (If,  Z®)  £  ft.  By 
the  third,  if  (Z i ,  Z2)  £  r*  then  r(Zi)  =  a  and  r(Z2)  =  6.  Therefore  r*  is  a  subset  of  {Z“, . . . ,  Zf^}  x  {Z®, . . . ,  Z®t}. 
The  fourth  conjunct  implies  that  r*  is  a  function  and  the  fifth  that  its  domain  is  the  entire"  set  {ZJ, . . . ,  If). 
Finally,  the  sixth  conjunct  implies  that  r*  is  1-1.  In  a  similar  way,  given  any  such  function  r*  we  can  show 
that  the  set  {Z  £  /( w)  \  r(l)  £  r*}  is  a  candidate  r-value. 

We  now  use  these  functions  to  find  those  r-values  that  occur  in  I(v)  with  the  most  duplication.  They  are 
those  da’s  for  which  there  is  a  1-1  function  from  each  set  {l[, Zj’J  into  the  set  {Z? , . . . ,  IfJ.  We  formalize 
this  by  defining  <j>t(xt)  as 


(3yi)^yJ  =r  *t 

A  (Vy^)(y*  yt)  =>  (3*u)^(3z«,)(  Zw  exuA  yl  7Ti  zw) 

A  {3zw)(3yl)(zw  £  xu  A  yl  tt2  zw  A  yl  =r  yl) 

Let  d  be  a  candidate  r-value  for  t.  By  the  first  conjunct  in  <f>tl  d  is  one  of  the  constants  dx,  . . . ,  dk ,  say 
d—da.  By  the  second  conjunct,  for  any  df,  ^  da  there  is  a  1-1  function  from  {/f, . . . ,  tfb]  to  lfa}  and 

therefore  da  occurs  in  I(v)  with  at  least  as  much  duplication  as  The  converse  is  shown  in  a  similar  way. 

To  prove  that  the  bottom-up  query  language  is  not  closed  under  composition,  it  remains  to  show  that 
there  is  no  bottom-up  query  equivalent  to  Q2oQi.  Such  a  query  would  have  to  define  I(t)  by  a  formula 
4>t{xt)  all  of  whose  bound  variables  are  all  of  sort  v. 

Let  <f>t  be  such  a  formula  and  let  n  be  the  number  of  quantifiers  it  contains.  Let  I  be  an  instance  of  S 
such  that  I(u)  contains  n  +  1  copies  of  a,  i.e.,  Lvalues  with  a  as  their  r-value  and  n  +  2  copies  of  another 
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constant  b.  Let  I*  be  a  second  instance  of  S,  that  differs  from  I  only  by  containing  another  copy  of  a,  i.e., 
another  l-value  f*  with  r-value  a.  Then  the  only  candidate  r-values  for  t  on  I  should  be  b  and  both  a  and  b 
should  be  candidate  r- values  on  P . 

Let  It  be  a  new  1- value.  Extend  both  I  and  P  to  t  by  defining  I(t)  =  I*(t)  =  {It}  and  r(Zt)  =  r*(lt)  =  a- 
We  shall  complete  the  proof  by  showing  that  j  <l>t(lt)  &  hi*  ^*00  and  thus  contradicting  the  fact  that  a 
is  a  candidate  r-value  for  t  on  P  and  not  on  I. 

Let  the  free  variables  of  <j>  be  among  the  variables  a?J,  . . . ,  We  prove  the  following  by  induction. 
Let  Z*+1,  . . . ,  Zn,  or  any  other  subset  of  the  s  be  elements  of  I(v).  Let  Z  be  any  element  of  /(u)  distinct 
from  Zfc+i,  . . . ,  Zn  that  satisfies  r(Z)  =  a.  Then 

Nl  y  *  *  *  >  >  Jfc+lj  •  •  • »  ^n)  ^  N  I  •  •  •  » ^>  h+lj  *•*»  ^n) 

(Note  that  I*  is  the  1-value  that  appears  in  I*  but  not  in  I.)  Using  this  with  <j>  =  <f>t  will  complete  the  proof. 

When  <f>  is  an  atomic  formula  or  -*</> \  or  <j>\  A  <f> 2  the  proofs  of  this  assertion  is  straightforward.  The  hard 
case  is  when  <f>  is  (Va£)^(zt,  a; J, . . . ,  a?”).  Given  a  set  A  C  I(v)  we  shall  say  that  Z  is  suitable  for  A  if  r(Z)  =  a 
and  Z  is  not  an  element  of  A.  If  7  is  suitable  for  A  and  some  Z  E  A  has  r-value  a,  it  is  easy  to  see  that  Z 
is  suitable  for  A  —  {1}  U  {Z}.  The  assertion  says  that  if  Z  is  suitable  for  {Z*+i, . . . ,  Zn}  then  the  equivalence 
holds.  Since  I(v)  has  n+  1  copies  of  a,  we  can  always  find  at  least  two  suitable  l-values  for  any  set  A  of  size 
less  than  n. 

To  show  the  first  direction,  let  Z  be  suitable  for  {Z*+i, . . . ,  Zn}  and  assume  that 

. '•.fc+i . W 

Since  the  value  assigned  to  the  quantified  variable  x*v  is  irrelevant,  assume,  w.l.o.g.,  that  i  >  k  +  1.  For  all 
Jo€/(tO  CI»,  (=I^(Zt,Z*,...,Z%Z^+1,..MZ0,...,Zn) 

1.  If  Z0  h  z,  then  Z  is  suitable  for  {h+i,  • .  • ,  Zn}.  The  induction  hypothesis  then  implies  that 

hi  WtJ,  -->1, 4+i,  •  •  ^Zq,  . .  .,zn) 

2.  Replacing  the  quantified  variable  by  Z* ,  we  get 

hI^(Z«,Z*,...,Z*>Z|.+ll...fZ*,...lZ„) 

Since  Z  is  suitable  for  {Z*+i , . . . ,  U-lJi+U  •  •  Jn}  the  induction  hypothesis  implies 

h  I  *  *  •  1  Zfc+i , . . . ,  Z, . . . ,  Zn) 

Combining  these  two,  we  get 

t=l((V<)^)(Zf,Z,...,Z,  4+i,---,Z») 

For  the  converse,  assume  that  (=  j  ((Vx*  )(^)(Zt,  Z, . . ., Z,  Z^+i, . . . ,  Zn)  holds.  Then,  for  all  Zo  E  /(t>) 

hi 4>(hyh  4+i, •  •  •, Zo, •  •  • » 4) 

1.  If  Z0  /  Z,  then  Z  is  suitable  for  {Z0,  Zjt+i, . . . ,  Zj_i,Z,+i, . . .,  Zn}  and  therefore 

h  1*  ^  {h ,  Z* , . . . ,  Z* ,  4+i ,  *  •  *  1 4 ,  *  * . ,  4 ) 
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2.  If  l0  =  /,  then  /  is  suitable  for  {4+i, . . . ,  /<_i,  U+i,  and  we  get 

bl-M.**.  •  •  •  ,1* ,  4+1,  4) 

3.  So  far,  we  have  shown  that  /*,  4+i,  ...,l0,...,ln)  for  any  l0  in  I(v).  Pick  two  1-values 

4  and  1'0  that  are  both  suitable  for 

4+1  ,  •  •  •  »  k— 1  j  f»+l  j  •  •  >i 

Then  1'0  is  suitable  for  {/o,  4+i>  •  •  • ,  ^i-i,  4+1  >  •  •  •  >  4}  and  the  induction  assumption  implies  that 

1=1  ^{k,  lo,  —  >  lo>  4+i,  •  •  • ,  lo,  •  •  • >  In) 

lo  is  suitable  for  {/(,,  4+i,  •  •  • ,  k-i,  k+i,  •  •  • ,  4}  and  the  induction  hypothesis  now  gives  us 

\=lMlt,l'o,  •  •  •  >  l'o,  4+1,  4) 

Using  the  induction  assumption  once  more,  together  with  the  fact  that  1  is  suitable  for 

{l'o,  4+i,  •  •  •,  4-i,  4+i,  •  •  •  ,4} 

gives  us  |=  j  <t>(lt,l'o,  •  •  -ylo,  4+i,  •  •  .,4  •  •  .,4)  Finally  we  use  the  induction  hypothesis  another  time, 
this  time  with  the  fact  that  I'0  is  suitable  for 

,  4+i  i,/t+i,...,  4} 

to  get  hl^(lt,lt,...,l*,lk+u...,l...,ln). 

Combining  these  shows  that  \=  j.  ((Vzj,  ,  /*  4+i ,  •  •  • ,  4)  and  completes  the  proof.  | 

As  a  consequence  of  this  theorem  we  see  that  the  topological  order  is  a  necessary  part  of  the  definition 
of  the  LDM  query  language.  However,  this  does  not  mean  that  the  user  has  to  explicitly  specify  the  order 
as  part  of  the  query,  since  it  is  enough  if  he  just  specifies  the  formulas  at  the  nodes  of  the  query.  The 
system  can  then  pick  some  order  on  the  query  nodes  that  is  consistent  with  the  graph  edges  and  the  implicit 
dependencies  of  one  formula  on  another,  i.e.,  if  the  formula  for  v  refers  to  the  node  u  then  u  must  precede  v. 
If  the  query  is  a  legal  one  such  an  order  must  exist.  The  specific  order  we  pick,  subject  to  these  constraints, 
turns  out  to  be  irrelevant.  The  following  theorem  shows  that  if  we  pick  a  different  ordering  we  would  get  an 
equivalent  query. 

Theorem  27:  Let  Qi  =  \ S q  ,  X i .  d* and  Q2  =  { S Q ,  ^ 2 ;  ^ be  two  queries  on  a  schema  S  that  differ 

only  in  the  topological  order.  Let  I  be  an  instance  of  S.  Then  the  results  of  Qx  and  Q2  on  I  are  isomorphic 
relative  to  S. 

Proof:  Let  Ij  and  I2  be  the  two  results.  Let  the  query  nodes  be  Vq-U  =  {iq, . . . ,  vn }  where  vi  -<x  •  •  •  -<x  v„. 
We  define  an  isomorphism  /  from  lx  to  I2  by  induction  on  the  order  -<i.  Assume  /  has  been  defined  for  all 
w  such  that  w  v.  Let  R  be  the  set  of  candidate  r-values  for  v  and  write  7x(u)  as  {/r  |  r  G  R}.  We  first 
define  a  mapping  f*  on  the  candidate  r-values  for  v  as  follows. 

1.  If  n{v)  =  □,  then  f*(r)  =  r. 

2.  If  n(v)  =  (O,  n ),  then  r  is  a  tuple  (4 ,  •  •  • ,  4)  and  we  define 

/*W=(/(4),...,/(4)) 
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3.  If  n(v)  =  A  then  r  is  the  1-value  l  and  we  define  f*(r)  =  /(/). 

4.  If  n(v)  =  O,  then  r  is  a  set  and  we  define  f*(r)  =  {f(l)  1 1  €  r}. 

It  is  not  hard  to  show  that  f*(r )  is  a  candidate  r-value  for  v  in  Q2.  Somewhat  informally,  the  proof  is 
as  follows.  Let  h(v)  consist  of  the  single  1- value  /i  with  r-value  r  and  let  h(v)  consist  of  the  single  l-value 
l2  with  r-value  f*(r).  Restrict  the  schema  in  both  cases  to  the  database  S  and  those  nodes  that  precede 
v  in  both  Qi  and  Q2.  We  can  then  show  that  by  defining  f(h)  =  h  we  get  an  isomorphism  between  the 
instances.  Theorem  3  then  shows  that  f*(r)  is  a  candidate  r-value  for  v  in  Q2. 

We  can  show  in  a  similar  way  that  the  image  of  f*  contains  all  the  candidate  r- values  for  v  in  Q2,  and 
we  can  therefore  write  h(v)  as  {//•(»•)  |  r  €  R}  where  r(lf(r))  —  /*('')■  By  defining  f(lr)  =  I/*(r)  we  get  the 
desired  isomorphism.  | 

6.5.  Complexity  of  the  Query  Language 

It  is  clear  that  the  complexity  of  evaluating  a  query  can  be  exponential,  or  worse,  is  the  size  of  the  database 
instance,  since  even  the  size  of  the  result  itself  can  be  multiply  exponential  in  the  database  size.  We  therefore 
ask  the  following  question:  Given  a  query  and  a  database  instance  what  is  the  complexity  of  testing  whether 
the  result  is  empty?  We  show  that  even  this  problem  is  NP-hard. 

Theorem  28:  Let  Q  be  a  query  on  a  database  with  schema  S  and  instance  I.  It  is  NP-hard  to  determine 
whether  the  result  of  Q  on  I  is  empty  or  not. 

Proof:  We  reduce  the  problem  to  3SAT  [GJ79].  For  the  reduction  we  use  the  database  and  query  schemas 
shown  in  Fig.  30,  where  the  database  schema  is  in  the  box  on  the  right.  We  describe  informally  how  to  map 
an  instance  of  3SAT  into  a  database  instance  and  what  the  query  Q  is. 


Figure  30:  Reduction  from  3SAT 

The  instance  I  corresponding  to  an  instance  of  3SAT  is  defined  as  follows,  u  contains  all  the  variables  in 
the  instance  and  v  contains  the  two  constants  T  and  F .  w  contains  all  possible  pairs  (#,  T).  Finally,  each  set 
in  t  corresponds  to  a  clause,  where  the  pair  (x,T)  is  interpreted  as  the  variable  x  and  (#,  F)  as  the  variable 


x . 
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Q  is  defined  as  follows.  Each  set  in  s  corresponds  to  a  satisfying  truth  assignment.  In  other  words,  such 
a  set  r  must  satisfy: 

!•  ^wo  Pa*rs  (X>T)  and  (#,.F)  are  in  r.  The  pair  (®,T)  is  now  interpreted  as  assigning  the  value  true 
to  sc. 

2.  For  each  x  in  u ,  either  (z,T)  or  ( x,F )  is  in  r. 

3.  Each  clause,  i.e.,  each  set  {(*,  a),  (y,  b),  ( z ,  c)}  in  t  is  “satisfied”  by  the  members  of  s,  i.e.,  at  least  one 
of  (*,  a),  ( y ,  b)  and  ( z ,  c)  is  in  r. 

It  should  be  clear  that  we  can  write  a  formal  LDM  query  expressing  these  requirements.  It  is  then  easily 
seen  that  instances  for  which  3SAT  has  a  solution  are  mapped  into  database  instances  for  which  the  query 
has  a  nonempty  result  and  then  testing  whether  the  result  is  empty  shows  whether  the  instance  of  3SAT  has 
a  satisfying  truth  assignment.  | 

A  modification  of  the  above  proof  shows  that  it  is  also  NP-hard  to  determine  whether  a  query  Q  is  safe 
on  a  given  database  instance  I.  To  see  this,  let  the  database  be  as  in  the  proof  of  the  above  theorem,  and 
let  Q  add  the  node  s  above,  followed  by  a  node  q  of  type  □.  The  formula  <j>s{xs)  is  as  before,  while  <f>q(xq) 
will  just  require  that  the  result  at  the  node  s  be  nonempty,  e.g.,  by  the  formula  <f>q(xq)  =  (3xs)(xs  =,  xs). 
Note  that  <j>q  does  not  mention  the  variable  xq. 

If  we  map  instances  of  3SAT  into  database  instances  as  above,  then  whenever  the  instance  of  3SAT  has 
a  satisfying  truth  assignment,  the  result  at  s  is  nonempty.  In  that  case  <f>q  is  satisfied  by  any  1-value,  and 
the  query  is  unsafe. 

Conversely,  whenever  the  instance  of  3SAT  has  no  satisfying  truth  assignment,  the  result  at  s  is  empty. 
But  then  4>q  is  satisfied  by  no  1-value  and  therefore  Q  is  safe.  This  shows  that  a  test  for  safety  can  be  used  to 
test  satisfiability,  and  therefore  that  the  problem  of  testing  a  query  for  safety  on  a  given  instance  is  NP-hard. 
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The  Algebraic  Query  Language 


7.1.  The  Algebraic  Operators 

In  this  section  we  define  a  complete  set  of  algebraic  operators.  We  shall  then  show  that  any  safe  logical  query 
is  equivalent  to  some  sequence  of  algebraic  operations.  Conversely,  each  algebraic  operation  is  equivalent  to 
a  safe  logical  query. 

Since  a  logical  query  adds  some  nodes  to  the  database  schema  and  leaves  the  instance  of  the  database 
schema  unchanged,  each  algebraic  operator  must  do  the  same.  So  a  selection  operator,  for  example,  should 
not  delete  tuples  that  do  not  satisfy  the  selection  condition,  but  should  rather  create  a  copy  of  the  database 
node.  That  copy  should  contain  only  those  tuples  that  satisfy  the  condition.  In  fact  this  copying  of  tuples 
is  really  what  is  done  in  the  relational  model— a  query  does  not  throw  away  those  tuples  in  the  database 
that  do  not  meet  a  selection  condition,  but  rather  copies  those  tuples  that  do.  This  issue  is  not  addressed 
explicitly  in  relational  database  theory,  since  the  theory  does  not  deal  with  what  happens  to  temporary 
relations  that  are  created  while  computing  the  result  of  a  query. 

In  this  section  S  will  be  a  database  schema  with  instance  I.  The  algebra  will  consist  of  operations  of  the 
form  w  <—  a(vi, . . . ,  vn).  Here  a  is  the  name  of  the  operator,  and  its  arguments  vi,  . . . ,  vn  are  nodes  in  the 
schema  S.  a  adds  the  node  w  to  the  schema,  and  extends  I  to  the  new  schema.  We  define  each  operator  as 
a  simple  logical  query.  To  define  each  operator  we  give 

1.  The  types  of  its  arguments. 

2.  The  type  of  w  and  the  list  of  its  children. 

3.  An  LDM  formula  <f>w(xw)  that  specifies  the  contents  of  I(w). 

7.1.1.  Operators  that  Copy  and  Combine  Existing  Nodes 

1.  w  ID(u)  creates  a  copy  of  the  node  v,  as  is  shown  in  Fig.  31.  In  all  these  figures  the  schema  S  is 
shown  in  the  box  on  the  right,  and  the  node  that  is  created  by  the  operation  is  on  the  left.  For  each 
distinct  r- value  in  I(v),  I(w)  will  contain  exactly  one  1- value  with  this  r- value.  Note  that  duplication 
in  7(v)  is  eliminated  in  /( w). 

(a)  v  is  a  node  of  S  that  has  type  □ . 

(b)  w  is  of  type  □  . 

(c)  is  — r  2/v ) * 
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Figure  31:  The  algebraic  operation  w  □  (v)  Figure  32:  The  algebraic  operation  w  O(v) 

2.  w  <—  □  (d)  creates  a  node  of  type  □  that  contains  just  the  constant  d. 

(a)  d  is  a  constant  in  the  data  domain  D. 

(b)  w  is  of  type  □ . 

(c)  IS  Xxjj  =r  d. 

3 .  w  +-  0(v)  creates  a  node  that  contains  the  powerset  of  7(u)  (see  Fig.  32). 

(a)  v  is  any  node  in  the  schema  S. 

(b)  w  is  of  type  (O,  v). 

(c)  4>w(xw)  is  T  (i.e.  always  true). 


4 .  w  <r-  0(^1, . . .  ,vn)  creates  a  node  that  contains  the  cartesian  product  I(v  i)  x  *  •  *  x  I(vn)  (see  Fig.  33). 

(a)  Vi  ■, . . . ,  vn  are  any  n  nodes  in  the  schema  S. 

(b)  w  is  of  type  (0,»,  . . . ,  wn). 

(c)  (f>w  («Ciy )  is  T . 

5 .  w  <-  Z^(vi, . . . ,  vn)  creates  a  node  that  contains  the  disjoint  union  /(i^)  U  •  •  •  U  7(vn)  (see  Fig.  34). 

(a)  vi9...,vn  are  n  distinct  nodes  of  the  schema  S. 

(b)  w  is  of  type  (A  t>i, . . . ,  vn). 

(c)  ^tf(^ui)  is  T. 

Example  18:  In  all  the  examples  in  this  section  S  will  be  the  genealogy  whose  schema  is  shown  in  Fig.  8 
(on  page  10).  In  most  of  the  examples  the  instance  will  be  that  shown  in  Fig.  10  (page  11). 

1.  The  operation  uf  D(u)  adds  the  node  u'  to  S,  and  extends  the  instance  as  shown  in  Fig.  35. 
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2.  For  the  remainder  of  this  example,  the  database  instance  will  be  the  smaller  instance  in  Fig.  36.  The 
result  of  the  operation  u'  «-  O(u)  is  the  schema  shown  in  Fig.  37,  together  with  the  instance  shown 
in  Fig.  38. 

3.  The  result  of  the  operation  vf  Q(u,  u)  is  the  schema  shown  in  Fig.  39,  together  with  the  instance 
in  Fig.  40. 


/(«o 
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r(/) 
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Rehoboam 
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Batsheba 
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Figure  35:  Example  of  the  algebraic  operation  v!  <—  □(«) 
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Figure  36:  A  smaller  instance  of  the  genealogy  schema 


Figure  37 :  Example  of  the  algebraic  opera¬ 
tion  u'  <—  O(u) 


Figure  38:  Result  of  u'  <—  O(u) 
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Figure  39:  Example  of  the  algebraic  opera¬ 
tion  v'  <—  0(u,  v)  Figure  40:  Result  of  the  operation  v'  <—  Q(u,  v) 


7.1.2.  Selection  Operators 

The  LDM  algebra  has  two  selection  operators. 

1.  The  operation  w  *  cl  g  j(y)  is  similar  to  the  selection  operation  in  the  relational  algebra.  This  operator 
selects  those  tuples  in  v  whose  ith  and  jth  components  are  related  by  9  (see  Fig.  41). 

(a)  v  is  a  node  of  S  of  type  (O,  n,  vu . . . ,  vn)  and  i  9  j  is  one  of  the  relations  i  G  j,  i  xt  j,  i  p  j, 
i  =i  j  and  i  =r  j  . 

(b)  w  is  of  type  (Q,  n,vu...,  v„). 

(c)  <f> u>(xu>)  is 

(3xv)(3yVi)(3yVj)(yVi  x„;  xv  A  yVj  tv.  xv  A  yVi  9  yVj  A  xv  =r  xw) 

Alternatively,  9  may  be  of  the  form  i  =r  d  where  d  is  a  constant  in  D.  Then  <j>w(xw)  is 

(3^v)(3yv;)(5^ui  Ay^j  — ^  d  A  xv  —r  «rw) 


Figure  4 1 :  The  algebraic  operation  w  <-  e  j (v)  Figure  42:  The  algebraic  operation  w 


trm(u,  v) 


2.  w  <—  <rm(u,v).  Here  u  is  a  child  of  v,  and  w  will  contain  those  elements  of  I(u )  that  actually  appear 
in  I(v),  i.e.,  depending  on  the  type  of  v,  those  elements  of  I(u)  that  occur  either  as  members  of  sets, 
r- values  or  tuples  (see  Fig.  42). 


(a)  u  and  v  are  nodes  of  S  and  u  is  a  child  of  v. 
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(b)  w  is  of  the  same  type  as  u  and  has  the  same  children. 

(c)  <f>w($ to)  depends  on  the  type  of  v .  Note  that  v  cannot  be  of  type  □  since  it  has  a  child  u. 

i.  If  v  is  of  type  O  with  u  as  its  itl1  child  then  <l>w(xw)  is 

(3ictl)(3a?v)(a;ti  =r  xw  Axu  2?^) 

If  there  are  multiple  edges  from  v  to  u,  we  have  to  say  which  one  we  mean.  In  this  case  we 
shall  use  the  notation  cr[n(u}  v ,  i)  to  mean:  use  the  edge  with  tail  v . 

ii.  If  v  is  of  type  then  </>w(xw)  is 

(3a?u)(3a?v )(ajtt  =r  xw  A  xu  p  2?t>) 

iii.  If  v  is  of  type  O,  then  <j>w{xw)  is 

(3xu)(3ajt) )(®u  ==r  xw  A  Xu  €  #t>) 

Example  19:  The  schema  continues  to  be  that  of  Fig.  8  (page  10)  and  the  instance  is  that  of  Table  10 
(page  11). 

1.  The  result  of  the  operation  uf  +—  ^(i=r<<Rehoboam”)(l;)  *s  the  schema  shown  in  Fig.  43,  together  with 
the  instance  in  Fig.  44. 

2.  The  result  of  u'  «-  crm{w,  v)  is  the  schema  in  Fig.  45,  and  the  instance  in  Table  46.  Note  that  in  this 
example  v!  is  simply  a  copy  of  w,  since  every  set  in  I(w)  is  a  member  of  some  tuple  in  I(v) 


I(u') 


1 

r(0 

15 

(l.H) 

Figure  44;  Result  of  the  operation  v!  <—  cr1=^ 


7,1.3.  Union,  Difference  and  Projection 

1.  The  union  operator  is  similar  to  the  relational  union.  The  syntax  we  use  is  w  <—  U(vi, . . . ,  vn)  (see 
Fig.  47). 

(a)  «i, . . . ,  vn  are  n  nodes  of  S  that  are  of  the  same  type  and  have  the  same  children. 

(b)  w  has  the  same  type  and  the  same  children  as  the  u,  ’s. 

(c)  <f>w(xw)  is  (3xVl)(xVl  =r  Xw)  V  •  •  •  V  (3xl;n)(iCtJn  — r  xw)- 


^Rehoboam’ 


2.  For  difference  we  shall  use  infix  notation,  i.e.,  we  shall  write  w  *-  vi  -  v2  rather  than  -(vi,  v2). 
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Figure  47 :  The  algebraic  operation  w  «-  U(t>i ,  v2)  Figure  48 :  The  algebraic  operation  w  <-  H{ . , 

(a)  vi  and  v2  are  nodes  of  S  that  are  of  the  same  type  and  have  the  same  children. 

(b)  w  has  the  same  type  and  the  same  children  as  vi  and  v2. 

(c)  <j>w(xw )  is  (3a5ttl)(a;Ul  =r  *«,)  A  (Vx„3)(xV3  ±T  xw). 

3.  The  projection  operation  is  similar  to  projection  in  the  relational  algebra.  The  syntax  we  use  is 
w  n^(v),  where  A  is  an  ordered  multiset  of  edges  with  tail  v. 

(a)  v  is  a  node  of  S  of  type  (Q,  n,vu...,  vn)  and  A  is  an  ordered  multiset  of  edges  with  tail  v. 

(b)  Let  A  =  {ex , . . . ,  e*  }  where  e}  is  the  edge  (v,  v, Then  w  is  of  type  (O,  k,  vh vih). 

(c)  <j>w  ( xw )  is 

(3a;„)(3a;„1)  •  •  •(3*„n)^a;t,ii  xi  xw  A-  A  (xVik  x*  xw)  A  xv  =r  (x„l, . . . , 

When  it  will  not  cause  any  ambiguity,  we  shall  use  a  set  A  of  nodes  rather  than  of  edges,  as  in  Fig.  48. 
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7.2.  Equivalence  of  the  Logical  and  Algebraic 
Query  Languages 

We  can  now  use  the  algebraic  operators  defined  in  the  previous  section  to  define  an  algebraic  query  language. 
An  algebraic  query  will  be  a  sequence  {on,...,an}  of  algebraic  operators,  where  each  ft,  is  an  algebraic 
operator  on  the  result  of  a,_i.  We  want  to  show  that  this  query  language  is  equivalent  to  the  logical  query 
language.  In  other  words,  for  each  logical  query  on  a  schema  S,  there  should  exist  a  sequence  of  algebraic 
operations,  and  vice  versa,  with  the  property  that  the  schemas  created  by  these  two  queries  are  identical,  and 
for  every  database  instance  I,  the  results  are  isomorphic  relative  to  S.  Unfortunately,  as  the  next  example 
shows,  this  is  not  quite  true. 

Example  20:  Let  S  consist  of  a  node  u  of  type  □  and  let  Q  be  the  logical  query  that  adds  a  node  t;  of  type 
□  to  S.  Let  di  and  d2  be  two  distinct  constants,  and  let  <f>v(x „)  be  (xv  —r  di  V  xv  =r  d2).  The  candidate 
r- values  for  v  are  then  {di,d2}-  There  is  no  algebraic  query  equivalent  to  Q.  If  there  was  such  a  query, 
it  would  consist  of  one  algebraic  operation  alone,  since  each  operator  adds  a  new  node  to  the  schema.  By 
inspection  we  can  see  that  no  single  algebraic  operator  is  equivalent  to  Q. 

How  can  we  modify  the  definition  to  get  an  equivalent  query?  If  Qa  is  the  algebraic  query  that  consists 
of  the  operators  vn  «-  D(di),  u>2  «-  D(d2)  and  v  <-  U(u>i,tw2)  it  is  clear  that  the  instance  of  v  is  what  we 
are  after.  If  we  were  then  to  restrict  the  result  of  the  query  to  the  schema  that  consists  of  the  nodes  u  and  v 
we  get  the  instance  we  want.  We  have  essentially  used  the  two  nodes  uq  and  w2  for  temporary  storage  while 
computing  the  result  of  the  query.  In  fact  the  same  thing  occurs  in  the  relational  model,  since  temporary 
relations  are  used  there  for  subexpressions  and  then  deleted  at  the  end.  It  is  therefore  reasonable  to  expect 
the  same  thing  to  happen  in  the  logical  data  model. 

To  be  able  to  use  temporary  nodes,  we  extend  the  algebraic  query  language  by  adding  a  “delete”  operator. 
This  operator  will  delete  a  node  from  the  schema  and  restrict  the  instance  of  the  original  schema  to  the  new 
schema.  We  have  to  make  sure  that  we  never  delete  a  node  that  is  the  child  of  some  other  node,  since  in 
that  case  the  result  would  not  be  a  legal  schema.  The  operator  that  deletes  the  node  v  will  be  written  D(y). 

Definition  30:  Let  S  be  an  LDM  schema  with  instance  I.  The  algebraic  operator  D(v)  is  legal  when  v  is  a 
node  with  no  parent.  The  result  of  D(v)  is  the  schema  S'  that  consists  of  deleting  v  from  S,  together  with 
the  instance  that  we  get  by  restricting  I  to  S'. 

In  the  algebraic  query  language  we  must  take  care  not  to  delete  database  nodes,  i.e.,  we  must  only  allow 
the  user  to  delete  nodes  that  have  been  constructed  by  his  query.  We  shall  call  the  language  with  the  deletion 
operator  the  extended  algebraic  query  language. 

Definition  31:  Let  S  be  an  LDM  schema.  An  extended  algebraic  query  on  S  is  a  sequence  Qa  = 
(c*i, . . . ,  otn )  where  each  ct*  is  either 

1.  An  operation  of  the  form  wt  <-0i(v},...,  «*')>  where  A  is  an  alSebraic  operator  other  than  the  deletion 
operator  and  v} ,  . . . ,  v]j  are  either  node  of  S  or  are  nodes  that  were  created  by  some  previous  ft  and 
have  not  been  deleted. 

2.  The  operator  D{vt),  where  vt  is  a  node  that  was  created  by  a  previous  algebraic  operator  in  the 

sequence  i  and  has  not  yet  been  deleted. 

Definition  32:  Let  Q  A  be  an  extended  algebraic  query  on  S,  and  let  Q b  be  an  extended  algebraic  query 
on  the  result  of  Q^.  The  query  Qb  o  Qa  is  the  composition  of  QA  and  Qb,  formed  simply  by  concatenating 
the  lists  of  algebraic  operators. 
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Obviously,  the  delete  operator  itself  is  not  equivalent  to  any  logical  query,  since  every  logical  query  adds 
nodes  to  the  schema.  This  by  itself  does  not  necessarily  mean  that  we  cannot  find  a  logical  query  equivalent 
to  any  extended  algebraic  query.  After  all,  an  extended  algebraic  query  does  not  delete  nodes  of  S,  since  the 
only  nodes  that  are  deleted  are  those  that  were  constructed  by  previous  algebraic  operations.  It  might  still 
be  the  case,  as  happened  in  Example  20,  that  there  is  an  equivalent  logical  query  that  somehow  expresses 
what  the  result  of  the  query  should  be  without  using  these  temporary  nodes. 

At  the  end  of  this  chapter  (Theorem  36)  we  shall  prove  that  such  a  query  does  not  exist,  thus  showing 
that  the  extended  algebraic  query  language  is  strictly  more  powerful  than  the  logical  query  language.  We 
can  get  equivalence  by  a  simple  modification  of  the  logical  query  language:  Allow  logical  queries  to  use 
temporary  nodes  as  well. 

Definition  33:  Let  S  be  an  LDM  schema.  An  extended  logical  query  on  S  is  a  tuple  Q  =  /5q  ,  3>q  ,  — <q  ,  Dq 
where  y 

l-  (■SQ’^Q’-^q)  is  a  logical  query  on  S . 

2.  Dq  is  the  set  of  temporary  nodes  used  in  the  query.  Dq  is  a  subset  of  the  query  nodes  Vq  -  V  that 
we  can  delete  and  still  get  an  LDM  schema.  In  other  words,  there  is  no  edge  with  tail  outside  Dq  and 
head  in  Dq,  i.e.,  if  (ei,e2)  E  Dq  and  e2  E  Dq  then  e\  E  Dq. 

Definition  34:  Let  Q  be  the  extended  logical  query  Q  =  ^Sq,  $q,  *^q,  Dq^,  and  let  I  be  an  instance  of 
S.  The  result  of  this  query  consists  of 

1.  The  schema  Sq  consisting  of 

(a)  The  nodes  in  Vq  —  Dq  . 

(b)  The  relevant  edges,  i.e.,  all  those  edges  of  Sq  whose  head  and  tail  are  both  in  Vq  -  Dq. 

(c)  The  restriction  of  the  type  assignment  \x  to  Vq  —  Dq. 

2.  The  result  of  Q  on  I  is  defined  as  follows.  Let  Iq  be  the  result  of  (Sq,$q,  on  I.  The  result  of 
Q  on  I  is  then  the  restriction  of  Iq  to  Sq. 

We  now  start  to  prove  the  main  result  of  this  section,  that  the  two  extended  query  languages  are  equiva¬ 
lent.  We  start  by  proving  that  every  extended  algebraic  query  is  equivalent  to  some  extended  logical  query. 

Lemma  29:  Let  QA  =  {ai,...,an}  be  an  extended  algebraic  query  on  S.  There  exists  a  safe  extended 
logical  query  Qx  on  S  such  that  for  every  instance  I  of  S,  the  results  of  and  Qx  on  I  are  isomorphic 
relative  to  S. 

Proof:  The  schema  of  Qx  will  consist  of  all  those  nodes  that  are  created  by  the  operations  in  the  query  Q^. 
The  set  of  temporary  nodes  Dq^.  will  be  the  set  of  nodes  deleted  in  Q^,  i.e.,  {v{  |  The  operator  a,  is  D(^)}. 
Since  we  are  only  allowed  to  delete  nodes  that  are  not  in  S  and  that  have  no  parent,  it  is  easy  to  see  that 
there  is  no  edge  with  tail  outside  Dq^  and  head  in  it.  Each  ctj  that  is  not  a  delete  operator  must  be  of  the 

form  Wj  <—  Pj(w] , . . . ,  w'S).  We  define  an  order  on  the  nodes  of  Vq  -  V  as  follows:  -<  wj  whenever  i  <  j. 

<l>wi(xwi)  is  the  formula  that  was  used  to  define  the  operator  fij  in  the  previous  section.  It  is  easy  to  verify 
that  the  results  of  and  Qx  on  any  instance  I  are  indeed  isomorphic.  | 

We  now  show  the  converse.  Let  Qx  be  a  logical  query  on  S.  For  the  moment,  we  shall  look  at  queries  in 
the  original,  rather  than  the  extended  query  language.  Afterwards  we  shall  see  what  to  do  with  the  extended 


CHAPTER  7.  THE  ALGEBRAIC  QUERY  LANGUAGE 


query  language.  Let  I  be  a  fixed  instance  of  S.  The  definition  of  Q>i  will  not  depend  on  I,  but  the  results 
of  Qa  and  Qz,  will  only  be  isomorphic  on  those  instances  of  S  on  which  Q z,  is  safe.  We  keep  I  fixed  just  so 
we  will  be  able  to  prove  various  lemmas  about  the  results  as  we  go  along.  Fig.  49  shows  some  of  the  nodes 
we  construct  in  the  algebraic  query,  and  may  help  to  understand  the  construction. 


^prod 


Figure  49:  Constructing  an  equivalent  algebraic  query 

We  first  look  at  the  case  when  Qz,  is  a  simple  query  Qu,.  We  start  by  creating  a  node  wdomy  that 
contains  the  “domain”  of  tu,  i.e.,  all  those  objects  that  might  be  candidate  r-values  for  w  if  we  were  to  ignore 
everything  except  the  type  of  w  and  the  fact  that  Qz,  is  safe  on  I.  We  define  u>dom  as  follows. 

1.  If  w  is  of  type  □ ,  let  t>i,  . . . ,  v%  be  all  the  nodes  in  S  that  are  of  type  □  and  let  d\,  . . . ,  d*  be  the 
constants  that  occur  in  4>w(xw).  Define  wdom  by  the  algebraic  query: 


Sl  «- 

□  («i) 

St  <- 

□  («*) 

St+ 1 

-n(d  i) 

St+Jfc 

«-□(**) 

^dom 

<-  U(si, .  •  -,st+k) 

DM 

D(st+k) 

2.  If  fi(w)  =  (Q,fc,u define  wdom  by  wdom  <-  0(t>i, . . . , vk)- 

3.  If  fJ,(w)  =  (O,  v)  define  wdom  by  wdom  *-  O(v). 

4.  If  • .  -,Vk)  define  wd om  by  wdom  .  •  •,«*)• 

We  shall  call  this  algebraic  query  Qdom  •  We  formalize  the  intuition  behind  it  in  the  following  lemma. 


Lemma  30: 
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1.  The  schema,  created  by  Qdom  is  equal  to  the  schema  of  S  together  with  a  node  tndom  of  the  same  type 
and  with  the  same  children  as  the  node  w  in  the  original  logical  query  Qw. 

2.  Let  Idom  be  the  result  of  Qdom  on  I  and  let  Lu  be  the  result  of  Qw  on  I.  If  r  is  an  r- value  in 

then  r  is  also  an  r- value  in  Idom(tydom). 

Proof.  If  w  is  of  type  di,  /S.  or  O,  the  lemma  is  obvious.  If  w  is  of  type  ED ,  the  first  part  follows  from  the 
fact  that  all  the  nodes  except  u>dom  that  are  created  by  Qdom  are  also  deleted  by  it.  The  second  part  is  an 

immediate  consequence  of  Lemma  24  (page  43)  and  the  definition  of  Qdom-  I 

We  may  assume,  if  necessary  by  renaming  some  bound  variables,  that  all  the  bound  variables  in  the 
formula  <pw(xw)  that  was  used  to  define  Qw  axe  distinct.  Let  these  variables  be  x^ ,  ...,**  .  The  algebraic 
query  Qprod  on  the  result  of  Qdom  consists  of  the  algebraic  operation  * 

Wprod  *-  Q(wi.  -•-,«>*,  tUdom) 

For  the  purpose  of  defining  Qa  we  are  going  to  label  the  edges  with  head  tuprod  as  follows.  The  ith  edge 
with  head  tnprod  will  be  labeled  x'w..  These  labels  will  be  used  only  to  define  the  algebraic  query,  and  are 
not  themselves  part  of  the  query. 

In  certain  cases,  when  we  create  a  new  node  using  some  algebraic  operation,  the  outgoing  edges  from 
the  new  node  will  inherit  the  labels  of  the  corresponding  edges  whose  head  is  one  of  the  arguments  of  the 
operator.  We  shall  only  use  this  inheritance  in  cases  when  it  is  unambiguous,  i.e.,  in  cases  when  all  the 
arguments  have  the  same  labeling.  The  operations  for  which  labels  will  be  inherited  are  (ri9j,  difference  and 
union.  When  we  use  the  projection  operation  the  new  edges  will  also  inherit  the  labeling  of  the  corresponding 
edges  whose  head  is  the  argument  of  the  projection.  These  labels  are  essentially  used  to  remind  us  which 
bound  variable  the  edge  corresponds  to. 

Arrange  all  the  well  formed  subformulas  of  <pw(xw)  in  a  list  ipi,  ...,  ipm,  where  ipm  =  <pw(xw)  and  ipi 
precedes  ip,  whenever  it  is  a  subformula  of  ipj.  For  each  such  subformula,  we  shall  define  an  extended 
algebraic  query  Q^;  on  the  result  of  Q^;_,.  Q^.,  will  be  a  query  on  the  result  of  Qprod-  The  labels  on  the 
edges  with  tail  w ^  will  correspond  to  the  variables  that  might  be  free  in  ip— i.e.,  those  that  haven’t  yet  been 
bound  by  ip.  The  node  w1pi  will  be  of  type  (O,  j,  Wjlt . . . ,  vijh,  todom),  and  will  contain,  intuitively,  those 
tuples  for  which  \=i^ipi(h, . .  .,lk,ld)- 

1.  ipi  is  9  xbWb.  consists  of  the  algebraic  operation  w^t  +-  <ra$  h(wpTOd). 

2.  ipi  is  9  xw.  Q^j  consists  of  the  algebraic  operation  wtpi  <—  <ra  e  *+i(u;prod) 

3.  ipi  is  xw  9  xw.  Qtpi  consists  of  the  algebraic  operation  <—  <Tk+i  $  *+i(wprod) 

4.  ipi  is  x°a  =r  d.  Q^  consists  of  the  algebraic  operation  <—  <ra=rd(u'prod). 

5.  ipi  is  xw  =r  d.  Qipi  consists  of  the  algebraic  operation  wrj,i  < —  o-(i+i)=r(i(wprod) 

6.  ipi  is  iph  V  iph.  Let  A1  be  the  (ordered  multiset  of  edges  with  tail  that  have  the  same  label  as 

some  edge  with  tail  .  Let  A2  be  the  corresponding  set  of  edges  with  tail  wi>j  .  Q^.  is  the  following 
extended  algebraic  query  32 

51  <- 

52  «-  Ha,(w^.2) 

<—  U(«i,  s2) 

D(s  i) 

D(S2 ) 
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(Sl  and  s2  are  different  temporary  nodes  from  those  used  above,  and  from  similarly  named  nodes  used 
below.)  Note  that  the  way  we  defined  Ai  and  A2  guarantees  that  there  is  no  ambiguity  in  labeling  the 
edges  of  the  result,  at  least  as  long  as  the  labels  of  the  edges  in  A\  and  A2  are  in  the  same  order.  We 
shall  show  later  that  this  is  indeed  the  case. 

7.  xp,  is  Let  A  be  the  (ordered  multiset  of  edges  with  tail  wdom  that  have  the  same  label  as  some 
edge  with  tail  w^.  Qy,  is  the  following  extended  algebraic  query 

*1  Modern) 

Utyj  <—  «1  —  Wtpj 

D(s  1) 

As  in  the  previous  case  we  shall  be  able  to  label  the  edges  with  tail  without  any  ambiguity. 

8.  ipi  is  (3z“  )(i/>j).  Let  A  be  the  (ordered  multiset  of  all  edges  with  tail  tity,  except  for  the  edge  labeled 

.  We'shall  show  later  that  there  must  be  exactly  one  edge  with  such  a  label.  Q^,.  then  consists  of 
the  algebraic  operation  tity4  <—  Hx(u%). 

Lemma  31:  Let  xp  =  xpi  be  one  of  these  well  formed  subformulas  of  <pw(xw).  Let  *“laj  >  •  •  •  1  those 

variables  in  the  above  list  that  are  not  bound  in  xpi .  Note  that  some  of  the  ’s  may  not  actually  occur  in 

xPi.  Then  xjj^  is  of  type  (Q,  (a,  +  1),  wai, . . . ,  wa.,wdom),  and  the  tth  edge  with  tail  has  head  wa,  and 
is  labeled  with  the  variable  .  As  a  consequence  of  this,  all  the  labelings  of  edges  are  in  the  same  order 
and  the  assumptions  that  we  made  on  the  labelings  when  we  defined  the  w^’s  hold. 

Proof:  The  proof  is  a  fairly  straightforward  induction  using  the  definition  of  tity4 .  The  tricky  case  is  when 
xpi  is  xpj1  V  xpj3.  Then  the  children  of  w$h  correspond  to  the  bound  variables  of  <pw  that  are  not  bound  in 
xi>h  and  the  children  of  to  the  bound  variables  of  <pw  not  bound  in  xpl3.  Since  a  variable  is  not  bound  in 
V  xpj3  iff  it  is  not  bound’in  xpj1  and  it  is  not  bound  in  xpj3 ,  we  see  that  the  result  does  hold  in  this  case.  | 

Lemma  32:  Let  tity4  be  of  type  (C2>,j,xjjJ1,...,wjh,xjjdom).  Let  I ^  be  the  result  of  on  I,  let  ld  be  a 

member  of  I^{wdom)  and  let  lt  be  a  member  of  I^{{wjt)  for  t  =  1,  . . . ,  ft.  Then  there  exists  an  l  in 

with  r(l)  =  (li, . .  .,k, Id)  if  and  only  if  \=l^.xp,(h,-  ■  -,kJd)-  Intuitively,  (h, .  ..,lkJd)  is  a  candidate 

r- value”  iff  it  satisfies  xp, . 

Proof:  A  straightforward  induction  on  the  structure  of  xpi.  | 

The  extended  algebraic  query  Qfmai  on  the  result  of  Q <j>w  consists  of  the  following  operations 

XU  a  «—  U’in(l^doni)  w<p) 

D(W4,) 

D{wx!>  1) 

D(w  prod) 

D(w dom) 

We  finally  define  the  algebraic  query  Qx  as 

Qfmai  0  Q <t>°  Qv>m-i  0  QV>1  0  Qprod  °  Qdom 

Lemma  33:  Let  Ii  be  the  result  of  Q„  on  I  and  let  I2  the  result  of  the  algebraic  query  Qx  on  I.  Then  lx 
and  I2  are  isomorphic  relative  to  S. 
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Proof:  First  note  that  the  schemas  are  equal.  The  only  node  created  but  not  deleted  by  is  the  node 
w a-  This  node  is  similar  to  the  node  xvdom  and  hence  to  w. 

We  have  to  show  that  the  instances  of  wA  and  w  are  isomorphic,  i.e.,  that  at  the  point  in  evaluating  the 
queries  that  we  compute  the  instances  of  these  nodes,  they  have  the  same  candidate  r-values.  We  assume 
that  we  are  at  the  point  in  the  evaluation  of  just  before  the  final  round  of  deletions. 

Let  r  be  a  candidate  r- value  for  w.  Extend  I  to  an  instance  I„,  of  Sq^  by  defining  Iw(w)  =  {/}  and 

r(/)  =  r.  Then  Let  I*w  be  the  result  of  on  I.  By  Lemma  30  part  2,  r  is  a  candidate 

r- value  for  u-'dom  and  so  for  some  Id  in  I<j,w(xv dom)>  rQd)  =  r.  By  Lemma  18  (page  41),  [=  j  implies 

N (h),  and  therefore,  by  Lemma  32,  for  some  1$  in  /<^,(u)dom)»  r(^)  =  r  is  a  candidate  r-value  for  xva. 

For  the  converse,  suppose  that  r  is  a  candidate  r-value  for  wA.  Let  1^  be  the  result  of  on  I.  Since  r 
is  a  candidate  r-value  for  wA,  for  some  I4,  in  and  some  ld  in  /^(tudom),  r(l4)  =  and  r(ld)  =  r. 

Since  1$  is  in  w^),  Lemma  30  implies  that  (=  4>w(}d)-  Restrict  1^  to  an  instance  Idom  of  the  schema 

of  Qa  om*  Then  N 1^^  ( Id) »  and  so  by  Lemma  18,  r(/<f)  =  r  is  a  candidate  r-value  for  w .  | 

We  can  easily  extend  this  to  general  queries  by  concatenating  the  algebraic  queries  for  the  individual 
simple  queries.  If  we  have  an  extended  logical  query  we  have  to  add  deletion  operations  at  the  end  of  the 
algebraic  query  that  delete  those  nodes  in  the  delete  set  of  the  query.  This  completes  the  proof  of  the 
following  theorem. 

Theorem  34:  The  extended  algebraic  query  language  and  the  extended  logical  query  language  are  equiv¬ 
alent,  i.e.,  for  every  extended  algebraic  query  on  S  there  exists  a  safe  extended  logical  query  on  S  and  for 
every  extended  logical  query  on  S  there  exists  an  extended  algebraic  query  on  S,  such  that  both  queries 
define  the  same  schema  and  for  every  database  instance  I  on  which  the  logical  query  is  safe,  the  results  of 
both  queries  are  isomorphic  relative  to  S.  | 

Example  21:  We  shall  illustrate  the  proof  of  Theorem  34  by  showing  how  it  would  construct  an  extended 
algebraic  query  equivalent  to  the  query  Qi  in  Example  12  (page  37).  We  shall  name  the  new  node  in  that 
query  t  rather  than  v! .  The  database  instance  is  shown  in  Table  10  (page  11). 

1*  Qdom  consists  of  the  algebraic  operations  si  <-  □(«),  tdo m  <-  U(«i)  followed  by  D(s i),  the  deletion  of 
Si .  Note  that  the  union  of  copies  of  all  database  nodes  of  type  □  becomes  here  the  union  of  a  single 
node.  This  is  of  course  superfluous,  but  as  we  are  illustrating  the  proof  of  the  theorem,  rather  than 
showing  how  to  compute  the  result  efficiently,  we  include  this  operation.  The  final  schema  (after  the 
deletion)  and  the  instances  of  the  nodes  are  shown  in  Fig.  50. 

2*  Qprod  consists  of  the  operation  tprod  « —  £^(ti,  tdom)-  Fig.  51  shows  the  schema  after  this  operation. 
The  instance  is  too  large  to  show  here.  It  contains  25  l-values,  25-49,  with  all  the  possible  pairs  in 
{1, . . . ,  5}  x  {20, . . . ,  24}  as  r-values. 

3.  The  subformulas  of  <j>  are  rpx  =  (xt  =r  yu)  and  <j>  =  V>2  =  (3 Vu)(xt  =r  J/u).  is  t+t  0-2=ri(wProd), 
and  its  result  is  shown  in  Fig.  52. 

4.  is  t<f,  4—  n Its  result  is  shown  in  Fig.  53. 

5-  Qfinai  consists  of  the  operation  Ia  0m(^dom}^)  followed  by  the  deletion  of  all  the  temporary  nodes. 
The  result  of  this  is  shown  in  Fig.  54. 

This  example  shows  that  the  algebraic  query  that  we  get  from  the  proof,  as  is  also  the  case  in  Codd^  proof 
of  the  equivalence  of  the  relational  algebra  and  tuple  calculus,  is  not  necessarily  the  best  way  to  actually 
evaluate  a  logical  query.  Our  example  could  be  done  much  more  efficiently  by  the  single  algebraic  operation 
tA  □(«). 
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^dom 


□ 


I(si)  I(td  om) 


l 

r(/) 

i 

r(0 

15 

Rehoboam 

20 

Rehoboam 

16 

Solomon 

21 

Solomon 

17 

David 

22 

David 

18 

Batsheba 

23 

Batsheba 

19 

Jesse 

24 

Jesse 

Figure  50:  Result  of  Qa  om 


Figure  51:  Schema  of  Qprod 


7.3.  Various  Results  about  the  Algebra 

Most  of  the  algebraic  operators  are  natural  analogues  of  relational  operators.  Even  the  powerset  operator 
O(v)  is  fairly  natural,  since  it  creates  the  entire  domain  of  the  node,  and  is  therefore  similar  to  the  operator 
Q(t,i, . . . ,  vn)  that  is  based  on  the  cross  product.  The  exception  is  the  restriction  operator,  <rin(u,  v).  Even 
though  it  is  a  type  of  selection,  there  is  an  essential  difference  between  it  and  the  other  LDM  selection 
operator.  Restriction  selects  objects  based  on  whether  they  are  used  in  some  other  node,  whereas  the  other 
selection  operator  selects  objects  based  only  on  some  property  of  the  object  by  itself.  For  this  reason,  the 
LDM  selection  operator 'resembles  the  relational  selection  while  restriction  does  not. 

For  this  reason,  it  would  be  nice  if  we  were  able  to  eliminate  the  restriction  operator  from  the  algebra, 
i.e.,  to  show  that  it  can  be  expressed  in  terms  of  the  other  algebraic  operators.  We  now  show  that  this  is 
impossible. 

Theorem  35:  The  extended  algebraic  query  language  is  strictly  more  powerful  than  the  language  without 
restriction. 

Proof:  Let  the  database  schema  consist  of  the  nodes  u  and  v  in  Fig.  55.  We  claim  that  there  is  no  extended 
algebraic  query  not  using  restriction  that  is  equivalent  to  the  query  w  4-  <rin(u,i>).  To  see  why  this  is 
true,  note  that  the  only  algebraic  operators  apart  from  restriction  that  can  create  nodes  of  type  □  are  the 
operators 
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/(^i) 


1 

r{l) 

50 

(1,20) 

51 

(2,21) 

52 

(3,22) 

53 

(4,23) 

54 

(5,24) 

Figure  52:  Result  of 


1.  t  «—  D(wi) 

2.  t  <-□((*) 

3.  t  «-U(t>i>..Mt>n) 

4.  t  <—  Vi  —  v 2 

and  in  all  these  cases  the  arguments  must  also  be  of  type  □ .  Intuitively,  the  query  must  therefore  construct 
the  node  w  without  looking  at  the  node  v  at  all.  More  formally,  suppose  that  there  existed  an  extended 
algebraic  query  Q  equivalent  to  w  <-  <rin(u,v).  Let  Ii  and  I2  be  the  following  database  instances.  Both 
Ji(u)  and  I2(u)  are  equal  to  {1,2},  where  ri(l)  =  r2(l)  =  a  and  ri(2)  =  r2(2)  =  b.  On  the  other  hand, 
h(v)  =  ^2(^)  =  {3}  but  ri(3)  =  (1)  and  r2(3)  =  (2).  The  candidate  r- values  for  w  on  these  instances  should 
be,  respectively,  a  and  6.  We  shall  show,  by  induction  on  the  length  of  Q,  that  for  any  node  t  in  Q  of  type 
□  ,  in  particular  w ,  the  candidate  r-values  for  t  on  both  Ix  and  I2  are  the  same.  For  Q  of  length  0,  the  result 
is  obvious.  Assume  that  the  inductive  hypothesis  holds  for  all  queries  of  length  less  than  n,  and  let  Q  be  of 
length  n.  If  the  last  operation  in  Q  is  a  deletion  or  if  the  last  operation  creates  a  node  of  type  other  than 
□ ,  the  result  is  immediate.  If  the  last  operation  creates  a  node  of  type  □ ,  it  must  do  so  using  one  of  the 
operations  1—4  above,  and  then  the  result  follows  immediately  from  the  inductive  assumption.  | 

Our  second  result  shows  that  the  extended  algebraic  query  language  is  strictly  more  powerful  than  the 
nonextended  logical  query  language. 

Theorem  36:  There  is  an  extended  algebraic  query  that  is  not  equivalent  to  any  (nonextended)  logical 
query. 

Proof:  We  shall  show  that  there  is  an  extended  logical  query  not  equivalent  to  any  (nonextended)  logical 
query.  The  result  will  then  follow  by  Theorem  34. 

The  database  schema  S  will  be  the  same  as  the  one  we  used  in  the  proof  of  Theorem  26  (page  44).  The 
extended  query  Q  will  also  be  the  same  as  in  that  proof,  together  with  the  set  of  temporary  nodes  {u,w}. 
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Figure  54:  Result  of  Qfinai 

An  equivalent  logical  query  would  have  to  define  the  contents  of  t  in  terms  of  the  contents  of  v  alone,  which 
we  showed  in  the  proof  of  Theorem  26  to  be  impossible.  | 


7.3.  VARIOUS  RESULTS  ABOUT  THE  ALGEBRA 


Figure  55:  Proof  that  restriction  is  essential 


* 


Chapter  8 


Elimination  of  Cycles 


8.1.  Introduction 

LDM  schemas  can  contain  cycles  not  only  in  the  schemas  but  also  in  the  data.  For  example,  if  /  €  r(l)  for 
some  1-value  /,  then  we  would  have  a  cycle  in  the  data.  Having  introduced  cycles  into  the  model,  we  would 
like  to  study  their  expressive  power.  The  problem  we  shall  look  at  is:  Are  there  applications  that  cannot  be 
modeled  without  cycles?  For  example,  consider  the  following  schema. 

Example  22:  Fig.  56  shows  an  example  of  a  cyclic  database  schema  that  stores  information  about  procedure 
calls  in  a  program.  The  schema  is  the  same  as  the  genealogy  schema  that  we  have  used  up  to  now.  Elements 
in  I(v)  represent  procedures,  elements  in  I(u)  represent  procedure  names  and  elements  in  I(w)  represent 
sets  of  procedures.  Thus,  if  a:  €  I(v)  and  r(x)  =  ( y ,  z),  then  r(y)  is  the  name  of  the  procedure  x  and  r(z) 
is  the  set  of  procedures  called  from  x.  Note  that  if  a  procedure  calls  itself,  then  we  have  a  cycle  in  the 
data.  This  is  the  reason  we  do  not  use  the  genealogy  example,  since  the  data  in  the  genealogy  should  not 
be  cyclic.  An  acyclic  schema  that  intuitively  seems  to  “capture  the  same  information”  is  shown  in  Fig.  57. 
In  this  schema,  elements  in  I(v2)  represent  procedure  entities,  elements  in  I(u)  represent  procedure  names, 
elements  in  I(w)  represent  sets  of  procedures,  and  elements  in  I(vi)  represent  the  relationship  “procedure 
calls  procedures.” 

To  formalize  the  idea  of  “capturing  the  same  information,”  we  use  a  definition,  closely  related  to  the 
notion  of  query-equivalence  of  [Hul84] .  Intuitively,  two  schemas  capture  the  same  information  if  we  can  map 
instances  of  one  schema  to  instances  of  the  other,  and  queries  on  one  schema  to  queries  on  the  other,  such 
that  the  result  of  the  first  query  on  the  first  instance  is  isomorphic  to  the  result  of  the  second  query  on  the 
second  instance. 

In  our  query  language,  however,  the  result  of  a  query  is  not  necessarily  a  new,  independent  schema,  but 
may  contain  pointers  to  nodes  in  the  database  schema  S.  Because  of  this,  it  is  meaningless  to  talk  in  general 
about  isomorphism  between  the  results  of  the  queries.  In  order  for  such  an  isomorphism  to  be  meaningful  we 
shall  restrict  the  query  language,  in  this  chapter,  to  a  language  that  does  not  allow  pointers  to  the  database. 

Definition  35:  A  independent  query  on  a  schema  S  consists  of  a  new  schema  Sq  together  with  an  ordering 
of  nodes  and  a  set  of  LDM  formulas,  such  that  when  we  add  the  query  schema  to  the  database  schema  we 
get  an  LDM  query. 

The  result  of  an  independent  query  is  defined  in  the  obvious  way.  If  two  independent  queries  on  different 
database  schemas  have  the  same  query  schema,  we  are  then  able  to  talk  about  their  results  being  isomorphic. 


66 


8.2.  CONVERTING  CYCLIC  SCHEMAS  TO  ACYCLIC  ONES 


67 


Figure  56:  Cyclic  schema 


Figure  57:  An  acyclic  schema  equivalent  to 
it 


Definition  36:  Let  S  and  T  be  schemas.  Then  T  dominates  S  if  there  is  a  mapping  /  of  instances  of  S  to 
instances  of  T  such  that  for  each  independent  query  Qi  on  S,  there  is  an  independent  query  Q2  on  T  such 
that  Qi(I)  is  isomorphic  to  Q2(/(I))  for  all  instances  I  of  S  on  which  Qi  is  safe.  We  say  that  S  and  T  are 
equivalent  if  each  of  them  dominates  the  other. 

We  shall  only  be  able  to  prove  that  the  two  schemas  in  Example  22  are  equivalent  when  the  relationship 
represented  by  Vi  is  functional,  i.e.,  when  for  each  procedure  is  related  to  exactly  one  set  of  procedures,  i.e. 
those  procedures  that  it  calls.  This  means  that  in  fact  we  do  not  have  an  equivalence  between  the  schemas, 
but  rather  between  the  original  schema  and  a  new,  constrained  one.  To  make  our  results  more  general, 
we  shall  also  start  off  with  a  constrained  schema,  so  that  we  shall  in  fact  show  an  equivalence  between  a 
constrained  schema  and  an  acyclic  constrained  schema  (T ,ip).  We  start  by  describing  the  general 

transformation  from  cyclic  schemas  to  equivalent  acyclic  schemas.  The  idea  is  to  break  cycles  by  creating 
composition  nodes  that  represent  the  cyclic  relationships,  as  in  the  above  example. 


8.2.  Converting  Cyclic  Schemas  to  Acyclic  Ones 

When  we  try  to  break  cycles  in  arbitrary  cyclic  schemas,  we  notice  that  there  are  several  pathological  cases 
in  which  the  above  method  does  not  work.  First  of  all,  the  cycle  has  to  contain  a  Q  or  Anode  at  which 
to  break  it,  i.e.,  it  cannot  consist  just  of  O-nodes.  The  method  also  fails  when  the  cycle  contains  such  a 
node  of  type  CZi  or  A,  but  this  node  has  only  one  child.  If  we  break  the  cycle  at  such  a  node,  we  would 
end  up  with  a  childless  di  or  ZN-node  after  breaking  the  cycle.  In  both  of  these  cases,  the  schema  relates 
1- values  to  l-values  without  relating  them  at  any  point  to  the  actual  data.  Intuitively,  pure  relationships 
between  l-values  such  as  these  do  not  correspond  to  anything  in  the  “real  world,”  which  justifies  looking  only 
at  schemas  without  such  a  relationship. 

We  make  one  further  restriction  on  the  LDM  schemas.  If  a  cycle  in  the  schema  contains  a  node  of  type 
A  our  method  of  removing  cycles  appears  not  to  work.  For  example,  if  the  cyclic  schema  was  the  one  shown 
in  Fig.  58,  it  would  be  converted  into  the  schema  in  Fig.  59,  that  does  not  represent  the  same  structure. 
The  original  schema  essentially  stores  data  objects  at  the  top  node,  along  with  sets  of  objects,  sets  of  sets  of 
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objects,  etc,  and  this  is  not  what  is  stored  in  the  acyclic  schema.  For  this  reason,  we  shall  require  that  nodes 
of  type  Anr.mr  only  outside  cycles.  Unlike  the  other  conditions,  this  is  a  real  restriction  on  the  power  of  our 
method,  and  more  work  remains  to  be  done  on  whether  cycles  involving  nodes  of  type  A  can  be  eliminated. 


Figure  58:  A  cyclic  schema  Figure  59:  Corresponding  acyclic  schema 

Definition  37:  A  schema  S  is  called  well-formed  if  from  each  node  in  the  schema  there  is  a  path  to  a  node 
of  type  □ ,  and  no  node  of  type  A  occurs  in  any  cycle  of  S. 

Definition  38:  Let  S  be  a  cyclic  schema.  A  node  v  in  S  is  called  a  possible  breakpoint  if 

1.  It  is  of  type  O. 

2.  It  is  in  at  least  one  cycle. 

3.  It  has  at  least  one  child  that  is  not  in  any  cycle. 

For  example,  the  node  v  in  Fig.  60  is  a  possible  breakpoint. 


Lemma  37:  Let  S  be  a  well-formed  schema.  Either  S  is  cyclic,  or  it  has  a  possible  breakpoint. 

Proof:  Assume  that  S  contains  a  cycle,  and  let  uq  be  a  node  in  that  cycle.  Since  S  is  well-formed,  there  is 
a  path  uo,  u„  from  u0  to  a  node  un  of  type  □ .  Let  tt*  be  the  first  node  on  this  path  that  is  not  in  any 
cycle;  there  must  be  at  least  one  such  node,  since  the  node  un  is  not  in  any  cycle.  We  claim  that  the  node 
Ui-i'is  a  possible  breakpoint.  By  definition,  it  is  on  at  least  one  cycle  and  has  a  child  that  is  not  in  any 
cycle.  Since  Uk-i  is  in  a  cycle  and  that  cycle  does  not  contain  ut ,  ut_i  must  have  at  least  one  other  child. 
Since  S  is  well-formed,  ujt_i  must  be  of  type  O.  I 

Let  S  be  a  well-formed  cyclic  schema,  and  let  v  be  a  possible  breakpoint.  There  are  two  ways  to  generalize 
Example  22.  One  way  is  to  break  one  cycle  through  vat  a  time.  In  some  cases  this  can  result  in  unnecessarily 
complicated  schemas,  and  we  prefer  instead  to  break  the  cycles  that  go  through  v  all  at  once.  The  node  v  is 
replaced  by  two  nodes  Vl  and  v2  (see  Fig.  61).  All  the  edges  that  had  head  v,  except  for  those  that  belonged 
to  one  of  the  cycles  through  v,  will  now  have  head  .  All  the  edges  that  had  tail  v,  except  for  those  that 
were  in  the  cycles,  now  have  tail  v2.  and  v2  will  both  be  of  type  O.  The  formal  definition  is  as  follows. 

Definition  39:  Let  (S ,<j>)  be  a  well-formed  cyclic  constrained  schema,  where  S  =  ( V,  E ,  fi) ,  and^  let  v 
be  a  possible  breakpoint.  Then  Br(S,<M)  is  the  constrained  schema  (S',  ip)  where  S'  =  ( V',E',p ')  and 
tjj  =  Br (</>,  u)  are  defined  as  follows. 
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Figure  60:  Cycles  through  v  Figure  61:  After  breaking  the  cycles 


1*  We  introduce  two  new  nodes  vx  and  v2 .  V'  has  v  replaced  by  vx  and  v2j  i.e.,  V9  -  V  -  {v}  U  {vXiv2}. 

2.  All  the  nodes  in  V1  except  for  vx  and  v2  have  the  same  type  as  in  S,  i.e.,  =  fi(u)  for  all  u  in 

V  —  {v}.  Vi  and  v2  are  both  of  type  O. 

3.  Let  C  be  the  set  of  nodes  that  are  on  the  cycles  that  go  through  v.  Then  E9  is  defined  as  follows 

E'  =  E  -  {(«i,  u2)  |  {uXlu2)  £  E,  ux  =  v  or  u2  =  v} 

U  {(^1^2)} 

u  {(w^i)  I  (u,v)  £E,ugC} 
u  {(^,^2)  I  («,  v)  e  E,ueC) 
u  {{v2lu)\{v,u)eE,u^C} 
u  {(wi, w)  I  (v, u)€£,u6C} 

In  other  words,  the  edges  in  the  new  schema  are 

(a)  All  those  in  the  original  schema,  except  for  those  whose  head  or  tail  is  v. 

(b)  v2  is  a  child  of  «i. 

(c)  Each  edge  with  head  v  is  replaced  by 

i.  An  edge  with  head  vx,  when  the  edge  is  not  part  of  a  cycle. 

ii.  An  edge  with  head  v2 ,  when  the  edge  is  part  of  a  cycle. 

(d)  Each  edge  with  tail  v  is  replaced  by 

i.  An  edge  with  tail  vx,  when  the  edge  is  part  of  a  cycle. 

ii.  An  edge  with  tail  v2 ,  when  the  edge  is  not  part  of  a  cycle. 

Any  edge  that  replaces  an  edge  with  head  or  tail  v  has  the  same  position  in  the  ordering  as  the  edge 
it  replaces.  The  edge  from  to  v2  follows  all  the  other  edges  in  the  ordering. 
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In  order  to  define  the  new  constraint  ip  =  Br(V>,u),  we  first  define  a  function  F((p)  from  LDM  formulas 
over  S  to  LDM  formulas  over  S'. 

Definition  40:  The  function  F(</>)  is  defined  by  induction  on  the  size  of  <j>  as  follows. 

1.  (a)  If  u  and  w  are  not  equal  to  v ,  then  F(xu  zu  yw)  is  xu  zu  yw. 

(b)  If  w  is  not  equal  to  vy  then 

i.  If  w  is  not  on  a  cycle  through  vy  then  F(xv  zv  yw)  is  xVl  zv  yw. 

ii.  If  w  is  on  a  cycle  through  vy  then  F(xv  tv  yw)  is  xV7  zv  yw . 

(c)  If  u  is  not  equal  to  vy  then 

i.  If  u  is  not  on  a  cycle  through  vy  then  F(x u  zu  yv)  is  xu  zu  yV7. 

ii.  If  w  is  on  a  cycle  through  vy  then  F(xu  xu  yv )  is  xu  xu  yVl. 

(d)  F(xv  zt  yv)  is  ^V2  Vvi  * 

2.  F(xv  e  yw)  is  defined  similarly,  except  that  we  do  not  have  to  worry  about  the  cases  when  w  =  v. 

3.  F(xu  p  yw)  is  similar  to  the  previous  case. 

4.  (a)  If  u  is  not  equal  to  vy  then  F(xu  =/  yu)  is  xu  =/  yu. 

(b)  F(xv  =/  yv)  is  xVl  =/  yVl. 

5.  F^Xu  — y  d)  is  Xu  —  r  d. 

6.  A  VO  is  F(^)  A  F(V0* 

7.  (a)  If  u  is  not  equal  to  vy  then  F((Vxu)<j>)  is  (Vxu)F(<f>). 

(b)  ^((VztOVO  is  (VxVl)(VxV7)((xV2  zV2  xVl)  AF(VO),  where  and  are  new  variables,  and  the 
projection  uses  the  last  edge  from  V\  to  V2 . 

Definition  41:  The  constraint  <t>  is  mapped  into  the  constraint 
Br(<£,  v)  =  A  A  a?t;3  zV7  ®t,1  ^  ®t,1  — /  A  (Va?U3)(Ba:Vi)(aJtJ2 

The  last  two  conjuncts  express  the  functional  relationship  that  exactly  one  V2  is  associated  with  each  vi. 

Lemma  38:  Let  (S,  <p)  be  a  well-formed  cyclic  schema,  and  let  v  be  a  possible  breakpoint.  Then  Br(S,  <f>y  v)  = 
(S',  VO  is  also  well-formed. 

Proof:  We  first  have  to  show  that  S'  is  a  legal  LDM  schema.  The  only  reason  it  may  fail  to  be  one  is  that 
S'  may  contain  a  node  of  type  di  that  has  no  children.  It  is  clear  from  the  definition  of  S'  that  the  only 
node  where  this  could  happen  is  V2>  but  V2  has  at  least  one  child  since  v  has  at  least  one  child  that  is  not  in 
any  cycle  through  v . 

We  now  show  that  S'  is  well  formed.  Let  w  be  an  arbitrary  node  of  S'.  We  have  to  show  that  there  is  a 
path  in  S'  from  w  to  a  node  of  type  □  ,  and  that  no  cycle  contains  a  node  of  type  A  To  prove  the  second  of 
these,  it  is  not  hard  to  show  that  we  can  convert  a  cycle  in  S'  into  a  cycle  in  S  by  replacing  all  occurrences 
of  and  v2  in  the  cycle  by  the  node  v.  For  the  first  condition  there  are  two  cases. 

1.  w  is  neither  of  the  nodes  v\  and  V2 .  Then  w  must  be  a  node  of  S.  Since  S  is  well-formed,  there  must 
be  a  path  in  S  from  w  to  a  node  x  of  type  □ .  Let  wy  w\y  . . . ,  wn ,  a?  be  a  shortest  such  path.  Clearly 
x  is  also  in  S'.  If  all  the  other  nodes  on  the  path  are  also  in  S',  we  are  done.  Otherwise,  one  of  these 
nodes,  say  Wi,  is  equal  to  vy  and  by  the  minimality  of  the  path  there  is  at  most  one  such  Since  v  is 
a  possible  breakpoint,  it  has  a  child  ui  that  is  not  on  any  cycle,  and  therefore  there  is  a  path  «i,  . . 
um  in  S  from  ux  to  a  node  um  of  type  □  (see  Fig.  62).  There  are  then  two  possibilities. 
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Figure  62:  Proof  of  Lemma  38 


(a)  Wi-i  is  not  on  any  cycle  through  v.  Then  w,  w i_1(  vx,  v2,  uu  . . . ,  um  is  a  path  in  S'  from  w 

to  a  node  um  of  type  □ . 

(b)  Wi^i  is  on  a  cycle  through  v.  Then  w)  . . . ,  Wi- 1,  v2l  uh  • . • ,  is  a  path  in  S'  from  w  to  a  node 
Um  of  type  □ . 

2.  w  is  either  Vi  or  v2.  If  we  have  a  path  from  v 2  to  a  node  £  of  type  □ ,  we  can  easily  convert  it  to  a  path 
from  vx  to  x  by  using  the  edge  {vX)v2).  Assume  therefore  that  w  is  the  node  v2.  Since  v  is  a  possible 
breakpoint,  it  has  a  child  w\  that  is  not  in  any  cycle.  Since  S  is  well-formed,  there  is  a  path  from  wx 
to  a  node  x  of  type  CD.  Let  W\ ,  . . . ,  u?n,  x  be  the  shortest  such  path  in  S.  Then  no  node  on  this  path 
is  equal  to  v  and  therefore  v2 ,  wx ,  . . . ,  wn ,  x  is  a  path  in  S'  to  a  node  x  of  type  □ .  | 

We  now  show  that  if  we  repeatedly  break  cycles,  we  eventually  get  an  acyclic  schema. 

Lemma  39:  Let  (S,<^)  be  a  well-formed  constrained  cyclic  schema.  If  we  repeatedly  break  cycles  in  S  at 
possible  breakpoints,  we  shall  eventually  get  an  acyclic  constrained  schema  The  termination  does 

not  depend  on  the  order  in  which  we  choose  the  breakpoints. 

Proof:  The  proof  is  by  induction  on  the  number  of  nodes  of  the  schema  that  are  in  at  least  one  cycle.  We 
show  that  whenever  we  break  a  cycle  we  reduce  the  number  of  such  nodes  by  at  least  one.  Let  (Si,  (f>x)  be 
the  schema  before  breaking  the  cycles  through  u  and  let  (S2,^2)  =  Br(S u4>uv)  be  the  schema  afterwards. 
We  show  that 

1.  The  two  new  nodes  ui  and  v2  are  not  in  any  cycle  in  S2. 

2.  Any  node  in  Si  other  than  v  that  is  not  in  any  cycle  in  Si,  is  also  not  in  any  cycle  of  S2. 

Together,  these  conditions  immediately  imply  the  result. 

1.  Assume  that  there  is  a  cycle  in  S2  that  goes  through  v\  or  through  v2.  Let  C  be  the  shortest  such 
cycle.  There  are  three  cases 

(a)  C  contains  iq  but  not  v2.  Let  w  be  the  node  in  C  that  immediately  precedes  v\.  By  replacing  v\ 
in  C  by  v  we  get  a  cycle  in  Si.  But  then,  when  we  construct  S2,  we  replace  the  edge  (w,v)  by 
the  edge  ( w ,  v2),  and  S2  then  contains  no  edge  from  w  to  v\. 
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(b)  C  contains  v2  but  not  v\.  Let  u  be  the  node  in  C  that  immediately  succeeds  v2.  In  a  similar  way, 
by  replacing  v2  by  v,  we  get  a  cycle  in  Sj.  Therefore,  when  constructing  S2,  we  replace  the  edge 
(v,u)  by  the  edge  (ui,u),  and  S2  does  not  contain  an  edge  from  v2  to  u. 

(c)  C  contains  both  t>i  and  v2.  v2  must  occur  immediately  after  «i  on  C,  since  otherwise  we  could 
shorten  the  cycle  C  by  replacing  the  path  from  vi  to  v2  by  the  edge  (vi ,  v2).  Let  u  be  the  node 
in  C  that  immediately  precedes  t>i.  If  we  replace  and  v2  in  C  by  the  node  v,  we  get  a  cycle 
in  Si.  But  then  the  edge  (u,v i)  would  be  replaced  in  S2  by  the  edge  (u,v2)  and  S2  would  not 
contain  an  edge  from  utov2,a  contradiction. 

2.  Let  u  be  a  node  of  Sj  that  does  not  appear  in  any  cycle,  and  assume  that  m  is  in  some  cycle  C  m  S2. 

As  we  have  just  shown,  no  cycle  in  S2,  and  in  particular  C,  can  contain  either  of  the  nodes  v\  or  v2. 

But  then  C  is  also  a  cycle  in  Si,  a  contradiction.  | 


8.3.  Equivalence  of  the  Schemas 

We  first  show  how  to  map  an  instance  of  (S,  <f> )  into  an  instance  Br(I,  v)  of  (T,  VO  =  Br(S ,</>,«)•  The  intuition 
behind  the  construction  is  as  follows.  We  got  from  S  to  T  by  breaking  cycles  through  v.  The  instance  of 
any  node  other  than  v,  that  does  not  have  v  as  either  a  parent  or  a  child,  is  not  changed.  Each  l-value  in 
I(v)  is  replaced  by  a  pair  of  1- values,  one  in  Br(I,  u)(vi)  and  the  other  in  Br(I,  v)(v2).  The  second  of  these 
1- values  is  the  child  of  the  first.  We  then  modify  the  r- values  of  the  l-values  in  the  parents  and  children  of  v 
in  a  straightforward  way. 

Definition  42:  Let  (S,  <f>)  be  a  well-formed,  cyclic,  constrained  schema,  and  let  Ii  =  (h,ri)  be  an  instance 
of  it.  Let  v  be  a  possible  breakpoint,  and  let  (T,  VO  =  Br(S,<^,u).  Then  I2  =  (/2,r2)  =  Br(Ii,v)  is  the 
instance  of  T  that  is  defined  as  follows.  For  each  Z  in  h(v),  we  introduce  two  new  l-values,  that  will  be 

written  as  a(/)  and 

1.  I2(Vl)  is  defined  as  {«(/)  |  Z  €  h(v)}  and  I2(v2)  as  {/?(/)  |  Z  €  /i(*0}>  i.e,  they  contain  all  these  new 

l-values.  Since  i;  is  of  type  O,  for  each  such  l  in  h(v ),  rx(l)  —  (/i,  for  some  lX}  •••,*«•  Assume, 

w  1  o  g  that  the  first  i  children  of  v  are  those  that  are  in  cycles  through  v.  Then  r2(a(i))  is  defined  as 
(Ii , . . .  ,’fi,  /?(/))  and  r2 (/?(/))  as  (Z<+1  If  the  jth  child  of  v  is  «  itself,  then  the  corresponding 

component  of  r2(o;(/))  will  be  f3(lj )  instead  of  lj. 

2.  If  w  is  any  node  except  v  that  is  not  a  parent  of  v,  then  I2(w)  =  Ii(w),  and  for  each  /  in  this  set, 

r2(0  =  ri(0- 

3.  If  w  is  a  node  (except  v)  that  is  a  parent  of  v,  then  I2(w)  is  defined  as  h(w).  For  the  r-values,  there 
are  two  cases  to  consider. 

(a)  w  is  not  in  any  cycle  that  goes  through  v.  If  w  is  of  type  (Q,n),  then  for  each  l  in  h(w), 
rM)  =  (Zi,...,Z„)  for  suitable  h’s.  Let  v  be  the  ith  child  of  w  Then  r2(l)  is  defined  as 
(Zi, . . . ,  Z,_i,  a(Z,),  Zj+i, . . .,  ln).  This  generalizes  easily  to  the  case  when  there  multiple  edges  from 
w  to  v.  The  other  possibility  is  that  w  is  of  type  (O,  v).  In  that  case,  for  each  Z  in  I2(w),  r2(l)  is 
defined  as  {o(0  |  V  € 

(b)  w  is  on  a  cycle  through  v.  The  r-values  are  defined  as  in  the  previous  case,  but  with  (3(1)  used 
everywhere  instead  of  a(/)- 

Lemma  40:  Let  I  be  an  instance  of  (S ,<f>)  and  let  v  be  a  possible  breakpoint.  Let  I*  be  the  instance  Br(/,  u). 
Then  I*  is  an  instance  of  the  schema  (T,  V)  =  Br(S,  <t>,  v). 
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Proof:  We  have  to  show  that  I*  satisfies  the  constraint  Bi(<p,  v).  It  is  clear  that  it  satisfies  the  two  final 
conjuncts  in  the  definition  of  B r ((/>,?;) ,  since  there  is  a  1—1  correspondence  between  1-values  q(/)  in  I*  (t>i)  and 
1-values  /?(/)  in  I*  (*-’2)-  It  remains  to  show  that  |=  j.  This  is  a  consequence  of  the  following  assertion, 
whose  proof  is  a  routine  induction  on  the  structure  of  the  formula  <j>. 


Let 


tVi  J 


, ,  yi , 


at  the  end.  Then  the  free  variables  of  F(i/>)  are  x*  ,  ...  ,  x" 
1  <i  <n,  and  /,•  6  I(v)  for  i  =  1,  . . . ,  m  then 


tf?)  be  an  arbitrary  LDM  formula  over  S  where  all  the  variables  of  sort  v  are 


ylVl 


Uv2  > 


If  h  €  I(wi)  for  all  i, 


1=  I  m ln, Nl.WOi ,  •  •  • ,  /»,<*(/!),  m, ....  a(C),  t3{l'm))  | 

Lemma  41:  Let  (S,<f>)  be  a  well-formed  constrained  cyclic  schema,  let  v  be  a  possible  breakpoint,  and  let 
(T,  V>)  be  the  schema  that  we  get  by  breaking  the  cycles  that  go  through  v.  Then  (T,  if>)  dominates  (S,  <f>). 

Proof:  Let  Qx  be  an  independent  query  on  S.  Q2  will  consist  of  the  same  schema  as  Qx  and  its  nodes  will 
be  in  the  same  order.  Each  formula  <f>w(xw)  in  Qi  is  replaced  by  the  corresponding  formula  F(<j> w)(xw)  in 
Q2.  It  is  clear  that  we  get  a  logical  query. 

Let  I  be  a  fixed  instance  of  (S ,<j>)  and  let  I*  be  the  instance  Br(I,  v)  of  We  show  that  the  result 

Ii  of  Qi  on  I  and  the  result  I*  of  Q2  on  I*  are  isomorphic.  The  isomorphism  is  defined  using  the  topological 
order  on  the  query  nodes,  as  follows. 

Assume  that  we  have  defined  the  isomorphism  f  between  Ix  and  I*  on  all  the  query  nodes  that  precede 
the  node  u.  For  each  /  G  I\  (tt),  let  r  —  rx(/)  be  its  r-value.  We  define  an  r-value  r'  as  follows 

1.  If  v  is  of  type  O,  then  r  is  a  tuple  (fx . /„).  We  define  r'  to  be  the  tuple  . .  ./(/„)). 

2.  If  v  is  of  type  O,  then  r  is  a  set,  and  we  define  r'  to  be  the  set  {/(/)  1 1  G  r] . 

3.  If  v  is  of  type  A  then  r  =  /,  and  we  define  r'  to  be  /(/). 

4.  If  v  is  of  type  □ ,  then  r  €  D,  and  we  define  r'  to  be  equal  to  r. 

It  is  straightforward  to  show  that  r'  is  a  candidate  r-value  for  u  in  Q2.  This  gives  us  a  1-1  correspondence 

between  the  r-values  of  h(u)  and  those  of  7f(u).  If  we  then  define  /(/)  =  /*,  where  l*  is  the  l-value  in  /*(u) 

with  r-value  r',  we  extend  the  isomorphism  /  to  u.  By  repeating  this  for  each  query  node  it,  we  get  an 
isomorphism  between  lx  and  IJ .  | 

We  now  define  the  inverse  mapping  on  instances. 

Definition  43:  Let  (S,^>)  and  (T, -0)  be  as  above,  and  let  I2  be  an  instance  of  (T,0).  Then  lx  is  the 
following  instance 

1.  h(v)  is  defined  as  I7(v x).  Whenever  l  E  I^v),  rx(l)  will  be  a  tuple  containing  all  the  components  from 
r2(/),  except  for  the  last  one  that  corresponds  to  the  new  edge  to  v2l  together  with  all  the  components 

ofr2(nV2(0). 

2.  If  w  is  any  node  except  tq  and  v2  and  w  is  not  a  parent  of  v2l  then  —  I2(w )  and  the  r-values  are 

the  same  as  in  I2. 

3.  If  w  is  any  node  except  vx  that  is  not  a  parent  of  v2  then  h(w)  =  I2(w ).  If  w  is  of  type  (O,  n)  with  v2 
as  its  kth  child,  then  each  /  in  I2(w)  has  an  r-value  of  the  form  r2(/)  =  (lX) . . . ,  lk, . . . ,  /n)  for  suitable 
/,’s.  Since  I2  satisfies  0,  there  is  a  unique  ll  in  I2(v x)  with  4  as  its  last  component.  We  then  define 
ri(l)  =  (4, . . . ,  /*, . . . ,  /„).  We  define  the  r-values  for  nodes  of  type  O  in  a  similar  way. 

Lemma  42:  Let  (S,0),  (T,0),  I2  and  lx  be  as  in  the  above  definition.  Then  lx  is  an  instance  of  (S,0). 
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Proof:  Ii  clearly  is  an  instance  of  S.  The  proof  that  (=  is  a  straightforward  induction  on  the  structure 
of  <p,  similar  to  the  proof  of  Lemma  40.  | 

It  is  easy  to  show  that  the  two  mappings  on  instances  are  inverses  of  each  other,  i.e.,  applying  one  and 
then  the  other  yields  an  instance  isomorphic  to  the  original  one.  To  complete  the  proof  of  equivalence  we 
show  that  (S,  <f>)  dominates  (T ,ip). 

Lemma  43:  Let  (S,  4>)  be  a  well-formed  constrained  cyclic  schema,  let  v  be  a  possible  breakpoint  and  let 
(T,V0  be  the  schema  that  we  get  by  breaking  the  cycles  that  go  through  v.  Then  (S,<f>)  dominates  (T,i/>). 

Proof:  Let  Q2  be  an  independent  query  on  S.  Qi  consists  of  the  same  schema  and  node  ordering  as  Q2. 
The  formula  <f>w(xw)  in  Q2  is  replaced  in  Qi  by  the  following  formula.  Each  variable  in  <f>w  of  the  form  xVl 
or  xV3  is  replaced  by  a  variable  x„.  These  variables  are  distinct,  i.e.,  xVl  and  xV3  are  replaced  by  different 
variables.  The  only  other  change  we  have  to  make  in  <f>w  is  to  atomic  formulas  that  involve  x* .  Formulas  of 
the  form  yw  x,  xVl  and  yw  xy  xV3  are  replaced  by  yw  x*  where  w  is  the  kth  child  of  v.  The  remaining 
possibility,  xVl  xn+J  yV3,  where  v  has  n  children,  is  replaced  by  xv  =;  y„.  Proving  the  equivalence  of  Qi  and 
q2  is  now  straightforward,  making  use  of  the  fact  that  we  only  consider  instances  that  satisfy  the  constraint 

i>.  l 

Combining  Lemmas  41  and  43,  we  get 

Lemma  44:  Let  (S,</>)  be  a  well-formed  constrained  cyclic  schema,  let  v  be  a  possible  breakpoint  and  let 
(T,  V')  be  the  schema  we  get  by  breaking  the  cycles  that  go  through  v.  Then  (S,  <f)  and  (T,  i>)  are  equivalent. 

Finally,  by  applying  this  result  repeatedly  together  with  Lemma  39,  we  get  the  desired  result. 

Theorem  45:  Let  (S,c£)  be  a  well-formed  constrained  schema.  There  exists  an  acyclic  constrained  schema 
(T,  ip)  that  is  equivalent  to  (S I 


Chapter  9 

Conclusions 


We  have  described  a  new  model  of  data,  the  Logical  Data  Model,  that  is  designed  to  combine  the  advantages 
of  the  existing  data  models.  On  the  one  hand,  it  enables  the  database  to  describe  more  of  the  semantics  of 
the  data  than  is  possible  using  the  relational  model  of  data.  On  the  other  hand,  we  do  not  lose  the  nice 
properties  that  relational  databases  have,  in  particular  the  ability  to  query  the  database  using  equivalent 
non-procedural  and  procedural  languages. 

Some  directions  for  future  work  are  as  follows. 

1.  More  work  has  to  be  done  on  the  query  language.  The  languages  we  have  defined  are  similar  to  the 
initial  versions  of  Codd’s  relational  algebra  and  tuple  calculus.  We  have  outlined  in  Section  3.2  how 
the  LDM  languages  could  be  modified  to  obtain  a  more  user-friendly  and  efficient  language,  but  more 
work  has  to  be  done  in  this  direction  before  an  implementation  would  be  possible. 

2.  Another  direction  for  future  work  is  extending  the  power  of  the  query  language.  While  there  does  not 
appear  to  be  any  need  for  the  full  power  of  the  implicitly  defined  queries  in  our  first  attempt,  there  may 
be  specific  constraints  that  we  want  the  result  of  the  query  to  satisfy,  and  these  may  not  be  expressible 
by  node-by-node  formulas.  Appendix  B  gives  one  example  of  the  sort  of  difficulties  we  encounter  in 
one  extension  of  this  sort. 

3.  The  query  languages  that  we  have  described  are  all  first-order.  Recent  papers,  such  as  [HN84]  [Rei78] 
[U1185],  have  proposed  using  a  more  powerful  query  language,  similar  to  PROLOG,  for  accessing 
databases.  Such  a  language  would  be  able,  among  other  things  to  compute  the  transitive  closure  of  a 
relation,  something  that  cannot  be  done  in  the  relational  algebra  [AU79].  It  may  be  possible  to  extend 
the  LDM  query  language  along  these  lines  to  get  a  non  first-order  language  without  the  problems  that 
arise  with  Jacobs*  database  logic. 

4.  More  work  remains  to  be  done  on  the  expressive  power  of  cyclicity.  It  is  still  open  whether  cycles 
containing  nodes  of  type  A  can  be  eliminated.  Furthermore,  we  have  only  shown  that,  according  to  a 
certain  measure,  cycles  in  well-formed  schemas  do  not  add  any  expressive  power.  But  it  is  not  clear 
that  this  measure  is  the  ultimate  one. 
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Appendix  A 


An  Early  Attempt  to  Define  the 
Query  Language 


A.l.  Introduction 

In  this  appendix,  S  will  be  a  fixed  database  schema,  I  an  instance  of  it  and  Q  =  (Sq,  -<q,  a  query  on 
S. 

One  of  our  attempts  to  extend  the  relational  model  to  LDM  schemas  was  the  following.  A  query  consists 
of  an  extension  of  S  together  with  some  sentence  that  specifies  an  instance  of  it.  In  other  words 

Definition  44:  A  query  Q  on  S  consists  of 

1.  An  extension  Sq  of  S. 

2.  An  LDM  sentence  <f> q  over  Sq. 

The  result  of  the  query  should  be  an  extension  of  I  that  satisfies  sentence  <f> q. 

Definition  45:  The  result  of  Q  on  I  is  an  extension  Iq  of  I  to  SQ  such  that  NlQ^Q- 

One  problem  with  this  definition  is  that  there  may  be  many  different  ways  to  extend  I,  all  of  which  satisfy 
<j>Q.  One  way  we  tried  to  deal  with  this  problem  was  to  require  that  a  query  have  a  unique  result,  i.e.,  put 
the  burden  on  the  user  to  make  sure  that  he  only  asks  such  queries.  Uniqueness,  of  course,  will  only  be  up 
to  isomorphism.  In  the  relational  model  the  term  safe  queries  is  used  to  denote  queries  for  which  the  result 
is  defined.  The  only  thing  that  could  go  wrong  there  is  that  the  result  may  be  infinite,  and  that  is  in  fact 
the  definition  of  safety  in  the  relational  model.  For  LDM  queries  this  is  no  longer  true,  since  there  are  other 
things  that  may  be  wrong  with  a  query.  For  example,  there  may  be  no  extension  of  I  to  Sq  that  satisfies 
the  query,  or  there  may  be  several  possible  such  extensions.  We  shall  borrow  the  term  safe  query  from  the 
relational’model  and  use  it  with  an  extended  meaning.  It  will  denote  those  queries  that  have  a  unique  result. 
Note  that  since  we  are  only  interested  in  finite  instances  the  safe  queries  in  the  relational  model  turn  out  to 
be  a  special  case  of  our  more  general  definition. 

Definition  46:  A  query  is  safe  up  to  isomorphism  if  for  every  instance  I  of  S  there  is  a  unique  extension  of 
I  to  Sq  that  satisfies  4q  The  uniqueness  is  up  to  isomorphism  relative  to  S. 
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The  problem  with  this  definition  is  that  requiring  that  a  query  be  safe  up  to  isomorphism  is  too  strong 
a  requirement. 


w* 


Example  23:  Let  the  database  schema  be  the  genealogy  schema  S  shown  in  Fig.  8  (page  10)  Suppose  that 
as  a  query  on  S  we  want  to  construct  the  LDM  schema  that  corresponds  to  the  relational  model.  In  other 
words,  the  query  schema  is  the  extension  of  S  formed  by  adding  the  nodes  in  Figure  63  to  S.  We  want  w* 
to  contain  pairs  of  l-values  that  correspond  to  (Person-Parent)  pairs.  To  get  these  pairs,  look  at  elements  of 
I(v).  For  each  such  element,  take  its  left  component  and  pair  it  with  those  elements  that  we  get  by  taking 
the  elements  in  its  right  component,  and  finding  the  person  that  they  point  to.  When  we  write  this  out 
formally,  we  get  the  following  LDM  sentence 


4>i  =  (V4.)(v*2.)(v*».)^(«2.»«.*i.)  A(*».»..*i.) 

=►  (3«i)(3»2)(3»S)(3|A)(3»5)((»i  =r  *„.)  A  (yl  =r  **.)  A  =r  (yj,y4)) 


A  {yl  e  vi)  a  (i/«xuy®))j 


We  can  think  of  fa  as  being  similar  to  how  we  would  express  a  query  in  the  relational  model.  In  other 
words,  we  say  what  the  objects  in  the  result  should  satisfy.  The  problem  with  this  query  is  that  it  is  not 
safe  up  to  isomorphism.  One  reason  for  this  is  that  unlike  the  relational  model  the  LDM  model  can  express 
duplication  of  data.  Everything  in  the  result  of  the  above  query  does  indeed  correspond  to  a  (Person- 
Parent)  pair  but  there  is  nothing  to  stop  such  a  pair  from  appearing  twice  or  more  often.  To  prevent  this 
from  happening,  we  have  to  add  another  sentence  to  the  query.  The  following  sentence,  <f>2 ,  says  explicitly 
that  the  result  contains  no  duplication. 


4*2  (^^u*  )(Vj/u»  )(jJu»  ^ /  Vxi*  y%t *) 

A  (Vxv*)(Vyv.)(xv.  ± I  yv-  =>  xv.  yv .) 

A  (yxw*')(}4yw*')(,'Xw*  yw . 

xw*  7 Vw*  ) 


The  query  with  <f>i  A  <p2  is  still  unsafe.  Nothing  in  what  we  have  written  so  far  says  that  any  particular 
(Person-Parent)  pair  must  appear  in  the  result — we  have  only  said  that  everything  in  the  result  is  such  a 
pair  and  that  nothing  appears  more  than  once.  In  the  relational  model  this  is  something  that  we  do  not 
have  to  say  explicitly — we  just  say  what  should  be  in  the  result  and  the  result  will  then  contain  one  copy  of 
each  tuple  that  satisfies  the  query.  To  make  our  query  safe  we  can  add  another  sentence,  <f>3,  to  the  query. 
<f>3  says  explicitly  that  anything  in  I  that  corresponds  to  a  (Person- Parent)  pair  gives  rise  to  a  corresponding 
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tuple  in  the  result. 

h  =  (VyJ)(Vj/2)(V^)(V^)(Vy5)  ^(|£x«»5)  A  (y3w*wyl)  A  (y4  6  )  A  (y>uy4) 

=>  (3*i.)(3*2.)(3a^.)((*i*  =r  (*2»,*20) A  (*2*  =r  vl) A  (*2*  =«•  «5))^ 

Finally,  to  get  a  safe  query,  we  have  to  restrict  the  contents  of  I(u*)  and  I(v *),  i.e,  to  say  that  these 
nodes  contain  nothing  that  is  not  needed  for  the  tuples  in  Formally 

<f> 4  =  (Vxu+)(3yw*)(xu*7ru*yw*)  A  (Vxv*)(3yw*)(xv*irv*yw+) 

Putting  all  this  together  we  get  the  query  Q  =  (Sq^q)  where 

<^Q  ==  A  $2  A  <f>3  A  <f>4 

While  this  query  is  safe  at  last,  it  is  obviously  far  too  complicated  to  be  any  real  use. 


A.2.  Safety  up  to  Duplication 

What  the  above  example  shows  is  that  to  get  a  safe  query  we  have  to  add  conjuncts  to  our  original  query  that 
say  things  that  are  obvious.  One  of  these  explicitly  states  the  fact  that  there  is  no  duplication  in  the  result. 
We  could  simplify  what  the  user  has  to  write  by  making  this  part  of  the  definition  of  the  query  language, 
which  could  be  done  by  having  the  query  processor  automatically  add  a  conjunct  similar  to  <f>2  to  the  query. 
We  feel  that  this  is  not  the  right  way  to  proceed  for  several  reasons.  One  reason  is  that  this  seems  a  rather 
ad  hoc  approach.  Why  add  this  conjunct  rather  than  other  ones?  The  other  reason  is  that  the  query  may, 
either  implicitly  or  explicitly,  require  that  there  be  some  duplication  in  the  result.  If  the  system  were  then 
to  add  <j> 2  to  the  query  it  would  convert  what  was  originally  a  safe  query  into  an  unsafe  one. 

The  alternative  way  to  proceed  that  seems  preferable  from  a  mathematical  viewpoint  as  well  is  to  keep 
the  original  query  as  the  condition  that  the  result  must  satisfy  but  also  require  that  the  result  have  as  little 
duplication  as  possible.  In  our  example  this  would  mean  that  there  is  no  duplication  at  all  but  in  general 
that  would  not  have  to  be  the  case.  A  safe  query  would  then  be  one  that  has  a  unique  minimal  instance 
satisfying  the  query.  In  such  a  case  we  shall  say  the  query  is  safe  up  to  duplication . 

Essentially,  an  instance  is  minimal  if  there  is  no  smaller  instance  that  satisfies  the  sentence.  Some 
difficulty  occurs  when  trying  to  define  what  minimality  means  at  a  node  of  type  O.  If  v  is  of  type  (O,  u)  and 
the  query  requires  that  u  have  some  duplication,  we  have  to  make  sure  that  we  minimize  internal  duplication 
in  the  sets,  i.e.,  that  we  take  only  one  copy  among  the  duplicates  in  u  as  a  member  of  each  set  in  v  (unless 
duplication  of  this  sort  is  also  required  by  the  query). 

In  order  to  define  minimality,  we  first  define  a  relation  li  ^  l2  on  1- values,  li  ^  l2  will  mean,  intuitively, 
that  while  /i  and  l2  contain  the  same  information,  h  may  contain  more  internal  duplication  than  l2. 

Definition  47:  Let  Ii  =  (fi,ri)  and  I2  =  {h,r2)  be  two  extensions  of  I  to  Sq.  We  say  that  an  element 
of  h(v)  is  dominated  by  an  element  l2  of  T2 (^) ?  an(l  write  l\  ■<  l2i  iff 

1.  If  v  is  a  node  of  the  database  schema  S,  then  =  l2.  This  means  that  different  1- values  in  the  database 
are  regarded  as  essentially  different  objects,  even  if  their  r- values  are  the  same. 

2.  If  v  is  a  query  node,  i.e.,  v  is  a  node  in  Vq  —  V ,  then 
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(a)  If  p(v)  =  □ ,  then  r^)  =  r2(/2). 

(b)  If  fj,(v)  =  (O,  n),  then  II, (h)  <  II ,(/2)  for  all  i,  1  <  i  <  n. 

(c)  If  p(v)  =  A  then  rj(/i)  ■<  r2{l2). 

(d)  If  fj,(v)  =  O,  then 

i.  There  is  a  1-1  function  /•riift)  -  r2(/2)  such  that  for  all  l  G  rift),  l  <  /(/),  i.e.,  everything 

that  is  in  ri(/i)  is  also  in  r2(I2),  possibly  with  more  internal  duplication. 

ii.  For  every  l  G  r2(l2),  there  is  an  /'  G  ri(h)  such  that  /'  ^  /,  i.e.,  everything  in  r2(/2)  is  a  copy, 
possibly  with  some  more  internal  duplication,  of  something  in  n(l i). 

Provided  that  the  query  does  not  add  cycles  to  the  database,  this  definition  corresponds  to  the  intuition 
we  described  above.  The  problem  with  cyclic  queries  is  that  since  the  definition  is  recursive,  1- values  of  nodes 
that  are  m  a  cycle  added  by  the  query  will  never  dominate  one  another,  and  we  shall  end  up  with  no  way  to 
compare  the  instances  that  we  get.  As  we  are  going  to  forbid  cycles  in  the  query  anyway,  for  other  reasons 
we  shall  not  discuss  here  how  to  modify  the  definitions  to  handle  cyclic  queries. 

The  next  step  is  to  define  a  relation  Ii  X  I2  between  instances.  Intuitively,  Ix  X  I2  will  mean  that  Ii  and 
I2  contain  the  same  data,  but  I2  may  have  more  duplication.  This  means  that  I2  may  have  more  copies  of 
things  in  Ii,  and  these  copies  may  have  more  internal  duplication. 

Definition  48:  Let  Ii  =  (h.n)  and  I2  =  {/2,  r2)  be  two  extensions  of  I  to  Sq.  We  say  that  Ij  X  I2  iff  for 
each  query  node  v  v* 


1.  There  is  a  1  1  function  fv:h{v)  -►  I2(v)  such  that  for  each  /  G  h(v),  l  <  /„(/),  i.e.,  everything  in  Uv) 
is  in  I2(v ),  possibly  with  more  internal  duplication. 

2.  For  every  /  £  I2(v ),  there  is  an  /'  G  h(v)  such  that  V  ^  /. 

Definition  49:  An  extension  Iq  of  I  to  Sq  is  called  a  minima}  result  of  Q  iff 

1*  Iq  is  a  result  of  the  query,  i.e., 

Q 

2.  IQ  is  minimal,  i.e.,  if  1^  is  another  extension  of  I  to  Sq  such  that  I*  ^IQ,  but  I*  is  not  isomorphic 
to  Iq  relative  to  S,  then  XQ  ^  not  a  result  of  Q,  i.e.,  Jb  j.  <^q. 

Q 


Definition  50:  A  query  Q  is  called  safe  up  to  duplication  on  I  iff  Q  has  a  unique  minimal  result  on  I  Q 
is  safe  up  to  duplication  iff  it  is  safe  on  all  instances  I  of  S. 


Example  24:  If  we  write  the  query  of  Example  23  as  (SQ,  <^)  we  get  a  somewhat  simpler  query. 

This  query  is  safe  up  to  duplication  and  has  the  desired  result. 


A. 3.  Absolute  Safety 

The  other  way  to  simplify  the  user  queries  is  to  enable  the  user  to  avoid  having  to  specify  <j>3  explicitly.  «A, 
just  says  that  anything  that  is  allowed  (by  <£i)  to  be  in  the  result  actually  appears  in  it.  In  other  words 
what  we  want  to  do  is  to  maximize  the  data  in  the  result.  We  also  want  to  combine  this  with  minimizing 
the  duplication  as  above.  An  absolutely  safe  query  will  be  one  that  has  a  unique  result  under  this  combined 
approach,  i.e.,  maximize  data-  and  minimize  duplication. 

We  first  define  what  it  means  to  say  that  an  instance  contains  more  data  than  another  instance. 
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Definition  51:  Let  Ix  =  (Ji.rj)  and  I2  =  {h,r2)  be  two  extensions  of  I  to  Sq.  We  say  that  I2  contains 

at  least  as  much  data  as  Ii,  and  write  Ii  <  I2)  iff  for  each  query  node  v  and  each  element  h  °f  ■&(»).  there 
is  an  element  l2  of  I2(v)  that  contains  the  same  information,  possibly  with  more  internal  duplication,  i.e., 

h  <  h- 

Definition  52:  An  extension  Iq  of  I  to  Sq  contains  the  maximum  data  satisfying  Q  iff 

1.  Iq  is  a  result  of  Q,  i.e.,  hlg^Q 

2.  Iq  is  a  maximum  result,  i.e.,  if  I*Q  is  an  extension  of  I  to  SQ  that  satisfies  hlj^Q,  then  PQ  ^  *Q 

Definition  53:  The  absolute  result  of  Q  is  an  extension  Iq  of  I  to  Sq  such  that  Iq  is  minimal  under  X 
in  the  class  of  maximum  results,  i.e.,  the  class 

{rQirQ  contains  the  maximum  data  satisfying  Q} 

Definition  54:  Q  is  absolutely  safe  on  I  iff  it  has  a  unique  absolute  result,  up  to  isomorphism.  Q  is 
absolutely  safe  iff  it  is  absolutely  safe  on  all  database  instances. 

Example  25:  The  query  of  Example  23  can  be  written  as  the  absolutely  safe  query  (Sq,  </>i  A  4>a)- 


A.4.  Undecidability 

What  we  have  shown  so  far  is  how  we  can  reduce  the  amount  of  work  the  user  has  to  do  in  order  to  write  a 
safe  query.  The  language  we  get  is  close  in  this  respect  to  the  relational  tuple  calculus.  In  order  to  do  this, 
however,  we  had  to  make  the  definition  of  what  the  result  of  a  query  is  much  more  complicated  and  less 

Besides  this,  it  turns  out  that  all  three  of  the  approaches  we  described  are  too  powerful.  We  look  now 
at  the  question  how  do  we  test  if  a  given  query  is  safe,  either  up  to  isomorphism,  up  to  duplication  or 
absolutely.  It  is  not  hard  to  see  that  we  can  reduce  testing  whether  a  query  in  the  relational  model  is  safe 
to  testing  safety  under  any  of  these  definitions.  Since  testing  a  relational  query  for  safety  is  undecidable 
[Pao69l  the  undecidability  of  testing  for  our  types  of  safety  follows  immediately.  In  the  relational  model  this 
undecidability  is  not  a  problem.  The  reason  for  this  is  that  if  we  are  given  a  database  instance  we  can  test 
whether  the  query  is  safe  and  we  can  compute  the  result  when  it  is.  Furthermore,  we  can  give  restrictions 
on  the  query  language  that  allow  the  user  to  write  only  safe  queries,  and  if  all  the  domains  are  finite  then 
all  relational  queries  are  safe.  What  is  undecidable  is  just  to  test  whether  a  query  is  safe  for  all  possible 
database  instances.  Our  three  definitions  of  safety,  on  the  other  hand,  are  too  powerful,  since  even  if  we  are 
given  a  database  instance,  it  is  still  undecidable  whether  a  query  is  safe  on  it. 

Theorem  46:  There  is  an  acyclic  schema  S1,  an  instance  I  of  S  and  a  query  Q  on  S,  such  that  it  is 
undecidable  whether  the  query  is  safe  on  I  up  to  isomorphism,  up  to  duplication  or  absolutely. 

Proof:  We  reduce  testing  the  three  kinds  of  safety  to  testing  whether  a  sentence  in  a  first-order  theory  with 
equality  and  one  ternary  relation  symbol  R(x,y,z)  has  a  finite  model  [Tra50].  The  database  schema  S  will 
be  the  empty  schema  (V  =  0),  which  immediately  turns  both  testing  for  safety  on  a  fixed  instance,  and  on 
all  instances,  into  the  same  problem.  The  query  schema  SQ  is  shown  in  Fig.  64.  It  has  u  Xq  u. 

lThe  reason  for  mentioning  the  fact  that  it  is  acyclic  is  that  otherwise  the  cyclicity  of  S  might  appear  to  be  what  causes  the 

undecidability 
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Figure  64:  Undecidable  query 


Let  <f>  be  a  sentence  in  the  first-order  theory.  We  convert  this  into  an  LDM  sentence  L(<p)  as  follows. 

1.  Introduce  a  variable  xv  for  each  variable  x  in  <p. 

2.  Replace  each  quantifier  Qx  by  Qxv. 

3.  Replace  each  atomic  formula  x  =  y  in  <j>  by  the  LDM  formula  xv  =,  yv . 

4.  Replace  each  atomic  formula  R(x,  y,  z)  by  the  LDM  formula 

4>r  =  (3wu)(wu  =r  (xv,  yv ,  zv)) 


The  query  Q  =  (Sq.V1)  has  ip  equal  to 


LW  A  (Vxl)(Vxl)(xl  =r  xl  =>  *J  =,  xl)  A  (V^)(V^)(j,i  -  yl  ^  yi  ={  y2} 

A(V«v)(3 Xi  yu  V  xv  Vu  V  xv  x3  yu) 

The  intention  is  that  this  formula  says  that  the  result  of  the  query  corresponds  to  a  model  of  <b  The  three 
final  conjuncts  say  that  the  result  has  no  duplication,  and  that  there  are  no  unnecessary  elements  in  «. 

We  first  show  that  <p  has  a  finite  model  if  and  only  if  there  is  a  (finite)  instance  of  Sq  that  satisfies  V>- 
Let  I  be  such  an  instance.  We  define  a  finite  model  M  of  <p  as  follows.  ^ 

r/  the  model  1S  the  set  of  data  elements  in  the  instance,  i.e.,  D**  =  {d  £  D  \  (31  £ 

I{v))(r(l)  -  d)J.  If  o,  6  and  c  are  in  the  domain,  then  (a,6,c)  is  in  RM  if,  intuitively,  (a,6,c)  is  in 
the  instance  Formally,  this  means  that  there  are  l-values  lu  l2  and  l3  in  I(v)  and  /  in  I(u)  such  that 
r\l)  —  h  =r  Cl ,  /2  =r  b  and  /3  =r  c. 

We  show  that  M  is  a  model  of  <p  by  induction  on  the  size  of  <p.  Let  ^  be  a  subformula  of  d>  with  the 
free  variables  Then  the  free  variables  of  L(4>)  are  *J,  . . . ,  x".  For  any  assignment  of  domain 

elements  Oi,  .  an  to  these  variables,  there  are  unique  l-values  /i,  ....  /„  in  I(v)  with  r(l,)  =  a,  for  all  i 
1  <  »  <  n,  and  there  is  a  unique  l  in  7(u)  such  that  r(l)  =  (/x  We  now  show  that 


1=  M  ^(°i . ««)  Nl  L{<P){h 

For  atomic  formulas  4>  of  the  form  x  =  y  this  is  obvious.  For  atomic  formulas  of  the  form  R(x,  y,  z),  1(1)  is 
defined  as  (3rou)(u;u  =r  (xv,yv,zv)),  and  then  KV> 


f=  M  ^(«i .  «2,  a3)o(«i ,  a2,  a3)  £  RM 

O  For  some  l  in  I(u),  r(l)  =  (lltl2,  h) 
L(<p)(li,l2,l3) 
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The  result  now  follows  by  a  straightforward  induction,  and  shows  that  (=j  L(<p)  is  equivalent  to  f=M  ^ 

Therefore  M  is  a  model  of  <p.  . 

For  the  converse,  let  M  be  a  finite  model  of  <j>.  We  define  an  instance  I  of  Sq  that  satisfies  L{<p)  as 

follows.  Let  the  domain  of  M  be  the  finite  set  A.  Introduce  new  l-values  as  necessary,  and  define 


I(v)  =  {/„  |  ae  A), 

I(u)  =  { lR(a,b,c )  |  o,  b,  c  €  A  and  |=  b,  c)} , 


r(la)  =  a 

r(lR(a,b,c))  —  (L,h,lc) 


By  a  straightforward  induction,  we  can  show  that  f=j  L{4>)  holds.  It  is  easy  to  see  that  the  remaining 
conjuncts  in  the  definition  of  ip  also  hold,  and  therefore  |=i  ip- 

We  now  return  to  the  undecidability  of  testing  whether  a  query  is  safe.  Assume  that  one  the  three  types 
of  safety  is  decidable,  and  let  <p  be  a  sentence  over  the  above  first-order  logic.  We  show  how  to  use  the  test 
for  safety  to  test  whether  ^  has  a  finite  model.  Define  Q  as  above,  and  apply  the  decision  procedure  for  the 
relevant  type  of  safety  to  Q.  If  the  query  is  safe,  then  <t>  has  a  finite  model.  If  the  query  is  unsafe,  however, 
this  does  not  necessarily  mean  that  <f>  has  no  finite  model.  In  fact,  there  are  two  possibilities 


1.  Q  has  no  result. 

2.  Q  has  more  than  one  result. 

To  distinguish  between  these  two  possibilities,  and  from  that  to  deduce  whether  <t>  has  a  finite  model,  we 
define  a  new  query  Q  =  (Sq,  ip)  in  which 

?  =  ^V 

Then  t=x  ?  if  and  only  if  (=l  V>  or  1=!  (V*J)(a>i  fi  *J).  The  latter  formula  is  satisfied  only  by  the  empty 
instance  I*  with  I0(u)  =  It(v)  =  0.  Since  \=Itip,  there  is  always  at  least  one  instance  that  satisfies  ip. 
Furthermore,  it  is  easy  to  see  that  1$  is  a  minimal  instance  satisfying  ip  ■ 

Apply  the  test  for  safety  to  Q.  We  distinguish  between  the  three  types  of  safety,  as  follows. 

1.  Safety  up  to  isomorphism.  First,  assume  that  Q_is  unsafe.  Since  I0  satisfies  ip,  the  unsafety  implies 
that  there  is  some  other  instance  I  that  satisfies  ip.  But  then  I  satisfies  ip,  thus  showing  that  <p  has  a 
finite  model. 

Now  assume  that  Q  is  safe.  Then  I0  is  the  only  instance  satisfying  ip.  Since  either  zero  or  more  than 
one  instances  satisfy  ip,  there  cannot  be  any  instance  satisfying  ip  and  therefore  <p  does  not  have  a  finite 
model. 

2.  Safety  up  to  duplication.  First,  assume  that  Q  is  unsafe.  Since  I0  is  a  minimal  instance  that  satisfies  ip, 
the  unsafety  implies  that  there  is  some  other  minimal  instance  I  satisfying  ip.  But  then  I  also  satisfies 
ip  and  <p  has  a  finite  model. 

Now  assume  that  Q  is  safe.  Then  I0  is  the  only  minimal  instance  satisfying  ip.  Since  there  are  either 
zero  or  more  than  one  minimal  instances  satisfying  ip,  there  cannot  be  any  minimal  instance  satisfying 
ip.  If  there  were  an  instance  I  that  satisfied  ip,  the  definition  of  ip  would  imply  that  I  contained  no 
duplication,  and  therefore  that  it  must  be  a  minimal  instance  satisfying  ip.  This  shows  that  no  instance 
I  can  satisfy  ip,  and  therefore  <p  does  not  have  a  finite  model. 

3.  Absolute  safety.  First,  assume  that  Q  is  unsafe.  There  are  two  possibilities 

(a)  There  is  no  maximum  instance  satisfying  ip.  On  the  other  hand,  we  know  that  I0  satisfies  ip. 
Since  it  is  not  maximum,  there  must  be  some  other  instance  satisfying  ip  and  containing  at  least 
as  much  data  as  I0.  Such  an  instance  must  satisfy  ip  and  therefore  <P  has  a  finite  model. 
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(b)  There  is  more  than  one  maximum  instance  satisfying  ip.  In  this  case  clearly  <p  has  a  finite  model. 

Now  assume  that  Q  is  safe.  If  the  maximum  instance  that  satisfied  ip  is  some  instance  I  other  than  Ig , 
then  it  is  also  a  maximum  instance  satisfying_0.  This  implies  that  Q  is  safe,  a  contradiction.  Therefore 
I«  is  the  only  maximum  instance  satisfying  ip.  If  some  other  instance  I  satisfied  ip,  the  maximality  of 
I{  would  imply  that  I  <  Ij,  a  contradiction.  Therefore  there  is  no  instance  satisfying  ip,  which  shows 
that  <p  does  not  have  a  finite  model.  | 

In  short,  our  query  language  is  too  powerful.  One  way  to  see  what  is  wrong  with  it  is  to  restrict  the 
schemas  to  those  that  correspond  to  relations.  We  then  get  a  language  that  is  more  powerful  than  the 
relational  calculus.  Essentially,  this  language  has  queries  whose  result  is  defined  implicitly  rather  than 
explicitly.  For  arbitrary  first-order  structures,  Beth’s  Theorem  [CK73]  says  that  for  any  implicit  definition 
there  is  an  equivalent  explicit  one,  but  the  theorem  does  not  hold  for  finite  structures  which  are  what  we  are 
interested  in.  Making  use  of  open  rather  than  closed  formulas,  as  we  did  in  the  LDM  query  language,  seems 
therefore  to  be  the  way  to  proceed. 

There  is  in  fact  a  close  relation  between  the  LDM  query  language  and  our  absolutely  safe  queries.  At  first 
it  may  seem  that  the  LDM  query  language  is  actually  a  special  case  of  the  absolutely  safe  queries.  Given 

a  query  Q  =  (Sq,  if  we  define  <p  =  /\vev(Vxv)<Pv(xv)  we  appear  to  get  an  equivalent  absolutely  safe 
query.  This  turns  out,  however,  not  to  be  the  case.  If  this  new  query  is  absolutely  safe  we  can  indeed  show 
that  the  results  of  both  queries  are  the  same.  The  following  example,  however,  shows  that  even  if  the  original 
query  is  safe  the  new  one  need  not  be  absolutely  safe. 


* 


w 
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Figure  65:  Database  schema  and  logical  query 

Example  26:  Fig.  65  shows  the  database  schema  (the  node  u)  and  a  query  on  it.  The  formulas  of  Q  are 

$ v  )  —  (3#tt)(iPu  —r 


i.e.,  v  is  a  copy  of  u,  and 

<pw(xw)  =  (Vxv)(xv  €  Xu,)  A  (VxJ)(Vx^)(xJ  =,  x2v) 

i.e.,  if  there  is  exactly  one  1- value  in  v,  collect  it  into  a  set  in  w,  otherwise  the  result  at  w  is  empty.  If  we 
then  define 

(j)  —  (ViEu  (^t; )  A  (ViEtu  (*^uj  ) 

we  get  an  query  that  is  not  absolutely  safe.  The  reason  for  this  is  that  if  I(u)  has  more  than  one  element, 
then  both  the  instance  with  v  containing  a  copy  of  u  and  w  being  empty,  and  the  instance  with  any  single 
element  of  u  in  v  and  w  collecting  it  into  a  set,  are  incomparable  instances  that  satisfy  <j> . 
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The  reason  for  the  difference  between  the  absolutely  safe  queries  and  the  LDM  query  language  is  that  the 
absolutely  safe  queries  try  to  globally  maximize  the  data  in  the  result  whereas  in  the  LDM  query  language 
we  maximize  the  data  in  the  nodes  one  at  a  time,  in  a  fixed  order. 


Appendix  B 

An  Alternative  Logical  Data  Model 


B.l.  The  Model 

In™LTtndlX  u  derr|!}e  an  earlier  attempt  that  We  made  t0  define  a  logical  data  model.  We  wanted 
a  model  that  would  not  allow  implicit  pointers.  If,  for  example,  in  an  LDM  schema,  we  had  two  different 

We  wouH  h°n  1  l  ST  Ufam°ng  thdr  Components’  we  would  implicitly  have  a  pointer  structure, 
uld  be  using  the  1-values  as  objects  having  an  independent  meaning,  and  this  did  not  seem  to  us  be 

desirable  except  when  it  was  explicitly  mentioned  as  part  of  the  schema  definition.  We  therefore  tried 
to  define  the  schema  in  such  a  way  that  such  pointers  would  only  be  allowed  when  they  were  explicitly 
represented  in  the  schema.  We  shall  describe  this  approach,  and  shall  see  that  we  get  into  serious  dScu  es 
when  we  try  to  define  a  query  language.  The  logical  query  language  will  turn  out  to  requ!  e  Irfgene  a 

boaoTul^  S  "”?*  in „U,1LD“  m0de1'  “d  th“  it  harder  to  uvulu.t.  a  query  by  * 

ratricTiZ  on  ft W  T°,m  * <!Uery  "U  l»ve  to  make  quite  compLaL 

LDM  auervZelS  A$  *  *he  <‘uer>’  »«  get  is  less  intuitive  than  the 

q  y  anguage,  and  in  addition,  we  were  not  able  to  find  an  equivalent  algebra.  All  the  same  this 

approach  is  instructive  as  it  illustrates  the  kind  of  problems  that  we  encounter  when  we  try  to  have  general 
constraints  on  the  result  of  a  query.  general 

r^lTntr11  Cf\ that  We  describe  in  this  appendix  the  “LDM”  model,  to  distinguish  it  from  the 

^  aI1  ^  definiti°nS  herC’  ^  Shal1  ^  ^  d6tails  where  they 

Definition  55:  An  “LDM”  schema  S  is  a  directed  forest  with  types  associated  with  the  nodes.  Cycles  will 
followmglypes  ^  °f  &  P°inter  n°de'  A  leaf  in  an  <<LDM”  schema  »  of  one  of  the 

1.  Basic  type,  written  □  (the  same  as  in  the  LDM  model). 

2.  Pointer  type  i.e.,  the  type  of  „  is  some  other  node  of  S.  These  nodes  will  be  drawn  as  .  together  with 

an  arrow  to  the  node  that  they  point  to.  6 

Other  nodes  are  of  the  types  O  and  O.  To  keep  the  model  simple,  we  leave  out  the  type  A 

1-values  and  r-values  are  defined  as  in  the  LDM  model,  with  one  additional  restriction.  We  require  that 
no  l-value  appears  as  the  member  of  more  than  one  set  or  as  the  component  of  more  than  one  tuple.  On  the 
other  hand,  it  can  occur  any  number  of  times  as  the  r-value  of  a  pointer  node. 
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Definition  56:  We  shall  use  the  symbol  L{ I)  to  represent  the  set  of  1-values  used  in  the  instance  I,  i.e., 
L( I)  will  be  Uvevl(v). 

Since  the  underlying  graph  of  the  schema  S  is  a  forest,  given  a  set  L0  of  1-values  that  are  used  in  the 
instance  I,  we  can  define  the  set  of  the  descendants  of  these  1-values,  something  we  shall  need  later  on. 

Definition  57:  Let  L0  be  a  subset  of  L(I),  the  set  of  l-values  used  in  I.  Desc(L0)  =  U,€io  Desc(/),  where 
Desc(/),  the  set  of  descendants  of  the  1- value  l  G  I(v),  is  defined  as  follows. 

1.  If  v  is  a  leaf,  then  Desc(!)  =  {/}•  Note  that  we  do  not  follow  pointers,  and  therefore  the  recursive 
definition  will  always  terminate. 

2.  If  n(v)  =  O  and  r(!)  =  (ii, . . . , /»)  then  Desc(!)  =  {/}  U  Desc(Ii)  U  •  •  •  U  Desc(/„). 

3.  If  =  O,  then  Desc(I)  =  {/}  U  Ui'er(i)  Desc(^)- 

We  define  the  “LDM”  logic  in  a  similar  way  to  the  LDM  logic.  If  a  node  u  points  to  a  node  v,  the  atomic 
formula  x  pyu  will  mean  that  the  value  of  xv  is  what  the  value  of  yu  points  to.  Isomorphism  is  also  d 
in  a  similar  wa^  to  the  LDM  model,  and  we  can  then  show  that  satisfaction  is  preserved  under  isomorphism. 


B.2.  The  Query  Language 

Defining  a  logical  query  language  is  harder  than  in  the  LDM  model.  The  problem  is  that  ifwetryto  do 
“t”  om^up  nodlTy-node  llua.ion,  w,  put  only  on.  copy  of  each  tan  in  each  node-no  dup to tan  - 
However,  when  we  get  to,  say,  a  nod.  of  type  O,  we  have  a  problem.  “  two  t.P'es  can 

contain  the  same  1-value  as  a  component,  we  may  need  more  than  one  copy  of  a. ‘  “  A  ^ 

node  Furthermore,  we  have  no  idea  in  advance  how  many  copies  are  needed  until  we  get  to  that  node,  l  h 
suggests  that  we  have  to  use  some  global  formula,  rather  than  one  formula  per  node.  In  general  this  results 
in  the  same  problems  we  had  when  we  tried  to  define  LDM  queries  this  way.  However,  in  this  case,  we  were 

able  to  find  a  restricted  class  of  queries  which  we  were  able  to  handle. 

This  class  of  queries  has  schemas  that  consist  of  a  single  tree  with  root  r  and  without  PomterS;  ^  C°^ 
allow  pointers  to  database  nodes,  but  decided  not  to,  in  order  to  keep  the  model  as  simpk  as  possible-  The 
query  will  also  have  an  “LDM”  formula  <f>(xr)  that  describes  what  objects  should  be  at  the  root  of  • 

The  Instances  of  internal  nodes  in  the  tree,  unlike  those  in  the  LDM  model,  have  no  independent  meaning. 
They  contain  only  those  objects  needed  to  structure  the  objects  at  the  root  r. 

The  bound  variables  in  <f>{xr)  range  over  database  nodes  and  over  descendants  of  r.  T^s  turns  out  to 
lead  to  the  same  problems  of  implicit  definition  of  the  result  that  we  encountered  m  our  first  attempt  at 
defining^  the LDM  query  language.  As  we  are  interested  only  in  the  objects  at  the  root,  and  we  want  to 
create  other  objects  only  when  necessary,  we  restrict  the  query  language  to  allow  us  to ^ 
of  internal  nodes  of  the  query  that  are  descendants  of  the  object  represented  by  zr.  We  do  this  by  restricting 
the  quantifiers  that  are  allowed  in  <f>(xr)}  in  the  following  way. 

1  Let  »  be  a  query  node  whose  parent  is  .  node  «  of  type  O.  To  understand  the  motivation  behind 
the  definition,  assume  that  somehow  we  have  reached  the  value  of  the  variable  xu  from  the  root. 
Instead  of  allowing  unrestricted  quantification  over  u,  we  allow  quantification  only  over  those  elements 
are  elements  of  We  write  this  as  (Vyv  G  «„)*  Formally  this  will  be  equivalent  to 

(Vyv)(y v  e  =»  VO- 

2.  If  «  is  a  query  node  with  parent  u  of  type  O  and  v  is  u’s  fcth  child,  we  allow  quantification  over  v 
only  through  using  quantifiers  of  the  form  (Vyv  *k  Xu)4>-  Note  that  in  this  case,  unlike  in  e  previous 
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one,  the  value  of  xn  uniquely  determines  the  value  of  yv .  The  only  reason  for  using  quantification  is 
to  avoid  having  to  introduce  some  other  function  symbol. 

3.  Variables  can  range  freely  over  database  nodes,  i.e.,  there  are  no  restrictions  on  how  we  may  quantify 
these  variables. 

The  definition  of  a  query  is: 

Definition  58:  A  query  Q  on  S  consists  of  a  pair  (S',  <j>)  where 

1.  S',  the  query  schema,  is  a  schema  with  no  pointer  nodes,  in  which  the  underlying  graph  is  a  tree  with 
root  r. 

2.  <f>(xr)  is  an  “LDM”  formula  with  the  properties: 

(a)  <j>{xr)  has  exactly  one  free  variable  and  this  variable  is  of  sort  r. 

(b)  Every  quantifier  in  <j>  on  a  variable  that  ranges  over  a  query  node  is  either  of  the  form  ('iyw  £  zu)ip 
or  (Vyu;  x*  zu)ip,  where  zu  is  a  variable  that  occurs  free  in  the  subformula  ip. 

If  Q  is  a  query  on  S,  Sq  will  denote  the  final  schema,  i.e.,  S  combined  with  S*. 

When  evaluating  a  query,  we  will  have  to  put  duplicates  in  some  of  the  nodes.  We  first  define  precisely 
what  duplication  is,  by  defining  an  equivalence  relation  between  1- values  in  two  extensions  Ix  and  I2  of  I 
to  Sq.  Two  1- values  in  the  database  instance  I  will  be  equivalent  only  when  they  are  equal.  On  the  other 
hand,  two  1-values  in  query  nodes  will  be  equivalent  provided  that  when  we  follow  all  the  paths  from  these 
1- values  down  to  the  leaves  we  get  the  same  information. 

Definition  59:  Let  h  be  an  element  of  h(v)  and  Z2  an  element  of  h(v).  We  say  that  Zi  and  l2  are  equivalent, 
and  write  Zi  =  Z2,  if  the  following  holds. 

1.  If  v  is  a  node  in  the  database  schema  S,  then  Zj  =  l2. 

2.  If  v  is  a  node  in  the  query  schema  S',  then 

(a)  If  v  is  a  leaf  of  any  type,  then  ri(Zi)  =  r2(l2). 

(b)  If  v  is  of  type  (O)  then  all  the  components  are  equivalent,  i.e.,  for  each  j,  1  <  i  <  n,  n,  (ri(/j))= 
n<(r2(/2)). 

(c)  If  v  is  of  type  O,  then  for  each  l  6  r\  (h),  there  is  an  /'  £  r2(/2)  such  that  l  =  Z',  and  vice  versa. 
Note  that  this  allows  duplication  inside  sets.  This  will  be  specifically  forbidden  in  the  definition 
of  the  result  of  a  query. 

We  shall  now  give  a  list  of  properties  that  we  would  like  the  result  of  a  query  to  satisfy.  These  properties 
are  similar  to  those  that  the  result  of  an  LDM  query  satisfies,  as  in  Lemma  22.  We  shall  use  these  properties 
as  the  definition  of  the  result,  and  then  investigate  when  it  is  well-defined. 

Definition  60:  The  result  of  Q  on  an  instance  I  of  S  is  an  extension  Iq  of  I  to  Sq  that  satisfies: 

1.  For  every  /in/Q(r).  l=iQ <M0- 

2.  There  is  no  duplication  at  the  root,  i.e.,  if  Zi  and  l2  are  1- values  in  Iq(t)  and  Zj  =  Z2,  then  Zi  =  Z2. 

3.  There  are  no  unnecessary  1- values  in  the  result,  so  that  whenever  an  1- value  Z  is  used  in  the  result,  it 
must  be  a  descendant  of  some  l-value  in  /Q(r),  i.e.,  it  must  be  in  Desc(Iq(r)). 
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4.  There  is  no  duplication  in  nodes  of  type  O,  i.e.,  if  v  is  a  query  node  of  type  O  and  l  is  an  element  of 
Iq(v),  then  lu  l2  G  r(l )  together  with  k  =  l2  imply  that  h  =  l2- 

5.  The  result  is  maximal,  i.e.,  if  Iq  is  another  extension  of  I  to  Sq  that  also  satisfies  1-4,  then  Iq  can 
be  embedded  in  an  instance  isomorphic  to  Iq. 

Let  Iq  be  an  extension  of  I  to  Q  and  let  L0  be  a  set  of  1- values  used  in  Iq.  We  shall  define  Restnct(I,  L0) 
as  the  minimal  extension  of  I  to  Sq  that  uses  all  the  1- values  in  L$. 

Definition  61:  Let  Iq  be  an  extension  of  I  to  Sq.  Let  L0  be  a  set  of  1- values  that  are  used  in  the  result 
of  the  query  (but  not  in  the  database).  The  restriction  of  Iq  to  L0,  written  Restrict(I,  L0)  =  Iq,  is  the 

following  instance  of  Sq  . 

1.  For  each  query  node  to,  Iq(w)  is  equal  to  7(to)  D  Desc(L0)- 

2.  For  each  database  node  to,  Iq(w)  is  equal  to  /(to). 


Lemma  47:  Restrict(I,  L0)  is  an  instance  of  Sq.  | 

We  next  show  that  because  of  the  restrictions  on  the  form  <P{xr)  can  have,  we  are  able  to  test  if  an  object 
should  be  in  the  result  of  the  query,  by  looking  only  at  the  descendants  of  this  object,  and  not  at  anything 

else  in  any  query  node. 

Lemma  48:  Let  Iq  be  an  extension  of  I  to  Q,  and  let  l  be  an  1- value  in  /q(x)-  Then 

NIq^(0  ^  N  Restrict(lQ ,{/})  W) 

Proof:  Let  I’Q  =  Restrict  (Iq,  {/}).  The  result  will  follow  immediately  from  the  following  inductive  asser¬ 
tion,  by  taking  ip  =  <p{xr).  ... 

Let  ^(xj, , . . . ,  x"J  be  a  subformula  of  <p  with  free  variables  xj, ,  •  •  • ,  *"„•  bet  L  G  /q(««),  J  -  1,  •  •  • ,  «• 

Then 

\=J  1p{h,  ■  •  •  Jn)  &  Nl*  V’(il)  •  •■tin) 

(4  Q 

This  is  trivial  whenever  ip  is  an  atomic  formula  or  is  of  the  form  ->ip'  or  ipi  V  ip2-  When  we  quantify  over 
a  variable  whose  sort  is  a  database  node,  the  result  is  also  immediate.  The  remaining  cases  are 

1.  ip  is  (Vy«,  xt  Xvjip'ix1^, . . . ,  x^n,yw).  By  the  definition  of  the  restricted  quantification, 

(=T*  Ofyu;  XVi)lp(ll,...,ln) 

Q 


is  equivalent  to 


^'(h  )•••  n  t(/i)) 


Since  h  £  I^(«t),  nt(/,)  is  in  I*Q(u;),  and  the  inductive  hypothesis  implies 

(=T  ip'{h,---X, nt(/i)),  and  therefore  to 

^aQ 


that  this  is  equivalent  to 
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2.  ip  is  (Vj/u,  6  . . . ,  x"n,yw).  By  definition, 


1=  i*  (Vifa  e*.()iS(ii . y 


is  equivalent  to  Nl^V’,(ii)  • i),  for  all  /  in  r(/,).  Since  /j  is  an  element  of  fq(wi),  all  the  members  of 
r(/j)  are  in  Iq(w) ,  and  therefore,  by  the  inductive  hypothesis,  this  is  equivalent  to  (=  j  ip'(li, . . ln ,  /) 
for  all  /  in  r (/,•),  i.e.,  to  \= ,  iP(h  |  Q 


This  lemma  is  the  crucial  one  behind  the  definition  of  the  query  language.  It  says  that  the  truth  of  a 
formula  depends  only  on  the  contents  of  /  and  its  descendants,  and  not  on  anything  else  in  the  result 
of  the  query,  and  therefore  we  can  look  for  the  objects  we  want  to  put  at  the  root,  one  at  a  time,  without 
considering  any  interactions  between  these  objects. 


Theorem  49:  Let  Iq,  Iq  be  two  results  of  Q.  Then  Iq  and  Iq  are  isomorphic  relative  to  S. 

Proof:  By  part  5  of  Definition  60,  rQ  can  be  isomorphically  embedded  in  1^,  and  vice  versa.  If  /  and 

g  are  these  isomorphisms,  the  fact  that  all  instances  are  finite  implies  that  f  aLd  g  are  1-1  and  onto,  and 
hence  that  the  instances  iJ-j  and  1^  are  isomorphic.  | 


B.3.  Safety 

In  the  previous  section  we  assumed  that  the  query  Q  had  a  result,  and  showed  that  then  the  result  is  unique. 
If  we  were  to  remove  the  requirement  that  an  instance  be  finite,  we  would  expect  a  result  always  to  exist,  as 
is  shown  by  the  following  informal  argument. 

Define  an  extension  Iq  of  I  to  Q  by  defining  Iq(v)  at  each  leaf  u  to  be  an  infinite  set  of  Lvalues,  one 
for  each  possible  data  element  d  €  D.  Going  up  the  tree,  put  all  tuples  made  out  of  the  children  of  a  node 
of  type  O  at  that  node.  Each  node  of  type  O  contains  the  entire  powerset  of  its  child.  In  both  cases,  no 
Lvalue  can  be  in  more  than  one  tuple  or  in  more  than  one  set,  so  we  have  to  create  duplicate  Lvalues  when 
necessary.  We  repeat  this  until  reaching  the  root  r,  and  then  remove  all  the  Lvalues  in  /q(r)  that  do  not 
satisfy  <j>.  Finally,  we  restrict  Iq  to  the  descendants  of  the  Lvalues  in  Iqir).  It  turns  out  that  whenever 
this  instance  is  finite,  it  is  the  result  of  the  query.  We  can  also  show  the  converse,  that  whenever  the  query 
has  a  result,  it  is  isomorphic  to  the  “instance”  we  constructed  here,  and  hence  this  “instance”  is  finite.  As 
in  the  relational  model,  we  define 

)  Definition  62:  Q  is  safe  on  an  instance  I  of  S  iff  Q  has  a  result  on  I. 


This  definition  of  safety  turns  out  to  be  closely  related  to  the  safe  queries  in  the  relational  calculus  and 
in  the  LDM  model,  as  it  captures  a  similar  finiteness  property.  We  now  formalize  the  construction  that  we 
described  above.  We  first  have  to  define  duplication  of  Lvalues  more  precisely. 

We  do  this  by  defining  a  function  Dup  that  has  two  arguments — an  instance  I0  of  the  database  together 
with  some  of  the  query  nodes,  and  a  set  Lo  of  Lvalues  in  L(Io).  Lo  is  the  set  of  Lvalues  that  we  want  to 
duplicate.  The  result  of  Dup  consists  of: 

1.  An  instance  Ii  that  is  a  superset  of  Iq. 

2.  A  function  Copy  that  maps  the  duplicated  Lvalues  in  Desc(L0)  into  their  duplicates. 
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Definition  63:  Let  I0  be  an  instance  of  the  database  together  with  some  of  the  query  nodes,  and  let  L0 
be  a  set  of  1- values  used  in  I0.  The  result  of  the  function  Dup(L0,I0)  consists  of  a  pair  (I1(Copy).  Let 
Lx  =  Desc(Lo).  For  each  l  in  Li,  we  introduce  a  new  l-value  which  will  be  called  Copy(J).  For  each  node  v, 
N(v)  will  be  I0(v)  together  with  the  relevant  new  l-values,  i.e.,  h(v)  =  I0(v)  U  Copy[Li  (~l  Io(v)].  For  each 
new  1-value  Copy(0,  where  l  €  L Jf  we  now  define  r(Copy(/)).  Let  l  be  an  element  of  I0(w). 

1.  If  w  is  a  leaf,  then  r(Copy(i))  =  K0- 

2.  If  w  is  of  type  O,  and  r(l)  =  then 

r(Copy(0)  =  (Copy(ii), . . . ,  Copy(/„)) 

3.  If  to  is  of  type  O,  then  r(Copy(/))  =  {Copy(F)  |  V  €  r(l)}. 

Lemma  50:  Let  Dup(Lo,Io)  =  (Ii ,  Copy).  Then 

1.  Ii  is  an  instance  of  the  schema. 

2.  The  result  of  Dup  is  well-defined,  i.e.,  if  we  choose  different  new  l-values  we  get  an  isomorphic  result. 

3.  The  domain  of  the  function  Copy  is  the  set  Desc(Lo)  of  descendants  of  the  l-values  in  L0,  and  its  range 
is  L(Ii)  -  L(Io).  I 

We  now  return  to  the  construction  of  the  result  of  Q.  We  are  given  an  instance  I  of  S,  and  we  construct 
an  extension  Iq  of  I  to  Sq. 

1.  If  v  is  a  query  leaf,  its  r- values  will  be 

Ro  =  {di,...,dk}  U  U  r[J(t»)] 

w  is  in  a  database 
node  of  type  Q 

where  d\,  . . . ,  <4  are  the  elements  of  D  that  appear  in  <f>.  This  resembles  the  safety  requirement  in  the 
relational  model  and  in  the  LDM  model.  Iq(v)  contains  one  1- value  for  each  element  of  R0,  with  the 
corresponding  r- values. 

2.  If  v  is  a  node  of  type  (C2),n,  vi,  ••  •>  we  would  like  /q(^)  to  contain  all  the  tuples  in  ^q(^i)  x 

. . .  x  However,  since  no  1- value  can  be  in  more  than  one  tuple,  we  have  to  create  duplicate 

l-values.  We  therefore  apply  the  function  Dup(Jq(^)>  Iq)  \^(vj )l  ~  Then  for  each  tuple 

(/i, . . /n)  where  each  U  is  in  the  original  instance  of  Vi  we  introduce  a  new  1- value  /  G  Iq(v),  whose 
r- value  is  a  tuple  whose  components  are  equivalent  to  the  Vs.  We  can  do  this  is  such  a  way  that  we 
use  each  1-value  in  the  instances  of  the  children  of  v  exactly  once. 

3.  If  v  is  of  type  O  with  child  w  we  do  a  similar  construction,  but  this  time  we  duplicate  /q(^) 
2(|/(«j)|-1)  _  i  times,  so  that  we  can  put  all  possible  subsets  as  r-values  in  Iq(v)  without  repeating 
l-values. 

We  then  define  L0  as  those  elements  l  of  Iq(r)  that  satisfy  ^=j  <t>(l)  and  replace  Iq  by  Restrict  (Iq,  Iq). 

Lemma  51:  Let  Q  be  a  query  on  a  schema  S  with  instance  I.  Let  I*  be  the  instance  created  by  the  above 
construction.  Then  Q  is  safe  on  I  iff  I*  is  the  result  of  Q. 
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Proof:  The  first  direction,  showing  that  Q  is  safe  whenever  I*  is  the  result  of  Q. 

To  show  the  converse,  assume  that  P  is  not  the  result  of  Q.  It  is  easy  to  see  that  I*  satisfies  parts  1-4 
of  Definition  60,  and  therefore  must  violate  the  fifth  part,  i.e.,  the  maximality  condition.  Therefore,  there  is 
some  other  instance  P*  satisfying  1-4  of  Definition  60  that  cannot  be  isomorphically  embedded  in  P.  If  all 
the  r- values  of  the  query  leaves  in  I**  are  also  r-values  of  the  query  leaves  in  I*,  it  is  not  hard  to  see  that 
since  our  construction  considers  all  possible  combinations  of  these  1-values  it  must  be  possible  to  embed  P* 
in  P.  Therefore  there  must  be  some  data  element  do  that  is  an  r- value  of  some  query  leaf  in  P*  but  not  in 
I*.  If  do  were  in  the  set  Ro,  we  would  consider  all  objects  involving  it  when  constructing  P  and  therefore 
d0  g  R0.  But  then,  as  in  the  LDM  query  language,  we  can  replace  d0  by  any  such  constant,  i.e.,  any  element 
of  D  —  Ro,  and  get  an  object  that  satisfies  <f>.  Therefore  Q  is  unsafe.  | 
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